Some checks failed
API CI / API Lint (push) Successful in 47s
API CI / API Type Check (push) Failing after 47s
API CI / API Test (push) Successful in 1m0s
API CI / API Build (push) Failing after 50s
API CI / Build Docker Image (push) Has been skipped
Build Crossplane Provider / build (push) Failing after 5m51s
CD Pipeline / Deploy to Staging (push) Failing after 29s
CI Pipeline / Lint and Type Check (push) Failing after 36s
CI Pipeline / Build (push) Has been skipped
CI Pipeline / Test Backend (push) Failing after 1m33s
CI Pipeline / Test Frontend (push) Failing after 30s
CI Pipeline / Security Scan (push) Failing after 1m16s
Crossplane Provider CI / Go Test (push) Failing after 3m23s
Crossplane Provider CI / Go Lint (push) Failing after 7m27s
Crossplane Provider CI / Go Build (push) Failing after 3m27s
Deploy to Staging / Deploy to Staging (push) Failing after 30s
Portal CI / Portal Lint (push) Failing after 21s
Portal CI / Portal Type Check (push) Failing after 21s
Portal CI / Portal Test (push) Failing after 21s
Portal CI / Portal Build (push) Failing after 22s
Test Suite / frontend-tests (push) Failing after 30s
Test Suite / api-tests (push) Failing after 49s
Test Suite / blockchain-tests (push) Failing after 30s
Type Check / type-check (map[directory:. name:root]) (push) Failing after 23s
Type Check / type-check (map[directory:api name:api]) (push) Failing after 21s
Type Check / type-check (map[directory:portal name:portal]) (push) Failing after 19s
Validate Configuration Files / validate (push) Failing after 1m52s
CD Pipeline / Deploy to Production (push) Has been skipped
Co-authored-by: Cursor <cursoragent@cursor.com>
977 lines
24 KiB
Markdown
977 lines
24 KiB
Markdown
# Phoenix MVP Control Plane Specification
|
|
|
|
**Minimum Viable Product (MVP) Definition for Phoenix Operating Model**
|
|
|
|
This document defines the MVP scope for the Phoenix operating model, including required APIs, data model extensions, implementation priorities, and sovereign government MVP requirements.
|
|
|
|
---
|
|
|
|
## Executive Summary
|
|
|
|
The Phoenix MVP Control Plane provides the minimum set of capabilities required to support sovereign government deployments with the five control planes (Commercial, Tenancy, Subscription, Environment, Content & DevOps). The MVP focuses on core functionality while maintaining the separation of concerns and enabling future expansion.
|
|
|
|
**MVP Principles:**
|
|
- **Core Functionality First**: Essential features for sovereign government deployments
|
|
- **Separation of Concerns**: All five control planes included in MVP
|
|
- **Sovereign Capabilities**: Support for sovereign, regulated, and air-gapped environments
|
|
- **Multi-Region Ready**: Foundation for multi-region deployments
|
|
- **Integration Ready**: Integration with existing infrastructure (Proxmox, Kubernetes, Keycloak)
|
|
|
|
---
|
|
|
|
## MVP Scope Definition
|
|
|
|
### What's In MVP
|
|
|
|
#### Commercial Plane MVP
|
|
- ✅ Client (Billing Profile) entity
|
|
- ✅ Basic billing aggregation
|
|
- ✅ Invoice generation
|
|
- ✅ Cost tracking per Client
|
|
- ✅ Payment instrument management
|
|
- ⚠️ Cost centers (basic support)
|
|
- ❌ Advanced chargeback (future)
|
|
|
|
#### Tenancy Plane MVP
|
|
- ✅ Tenant entity
|
|
- ✅ Primary domain management
|
|
- ✅ Keycloak realm integration (1:1)
|
|
- ✅ Basic RBAC namespace
|
|
- ✅ Data residency flags
|
|
- ✅ Compliance profile (basic)
|
|
- ⚠️ Multi-region tenants (basic support)
|
|
- ❌ Advanced federated identity (future)
|
|
|
|
#### Subscription Plane MVP
|
|
- ✅ Subscription entity
|
|
- ✅ Service bundles (compute, storage, networking)
|
|
- ✅ Basic quotas and limits
|
|
- ✅ Cost tracking per Subscription
|
|
- ✅ Policy packs (security, networking)
|
|
- ✅ Subscription types (Product, Sandbox)
|
|
- ⚠️ Shared Platform Subscription (basic)
|
|
- ❌ Innovation Subscription (future)
|
|
|
|
#### Environment Plane MVP
|
|
- ✅ Environment entity
|
|
- ✅ Environment types (DEV, INT, UAT, STAGING, PROD)
|
|
- ✅ Network isolation (basic)
|
|
- ✅ Data isolation (basic)
|
|
- ✅ Deployment policies (basic)
|
|
- ✅ Promotion flow (policy-driven)
|
|
- ⚠️ REGULATED environment (basic)
|
|
- ⚠️ SOVEREIGN environment (basic)
|
|
- ❌ AIR-GAPPED environment (future)
|
|
|
|
#### Content & DevOps Plane MVP
|
|
- ✅ Enterprise content hierarchy (basic)
|
|
- ✅ Git repository integration
|
|
- ✅ CI/CD pipeline integration (basic)
|
|
- ✅ Artifact registry integration
|
|
- ✅ Policy-driven promotion (basic)
|
|
- ⚠️ Approval workflows (basic)
|
|
- ❌ Advanced governance (future)
|
|
|
|
### What's Not In MVP (Future)
|
|
|
|
- Advanced chargeback and cost allocation
|
|
- Advanced federated identity across regions
|
|
- Innovation Subscription type
|
|
- AIR-GAPPED environment type
|
|
- Advanced content governance
|
|
- Multi-region promotion flows
|
|
- Advanced compliance automation
|
|
- Blockchain integration (optional in MVP)
|
|
|
|
---
|
|
|
|
## MVP for Each Control Plane
|
|
|
|
### Commercial Plane MVP
|
|
|
|
#### Core Features
|
|
|
|
**Client Entity:**
|
|
- Create, read, update, delete Client
|
|
- Legal entity information
|
|
- Contract and MSA management
|
|
- Invoicing configuration
|
|
- Payment instruments
|
|
|
|
**Billing:**
|
|
- Usage aggregation from Subscriptions
|
|
- Cost tracking per Client
|
|
- Invoice generation (PDF, JSON)
|
|
- Payment processing (basic)
|
|
|
|
**Cost Centers:**
|
|
- Basic cost center structure
|
|
- Cost allocation to cost centers
|
|
- Cost center reporting
|
|
|
|
#### Required APIs
|
|
|
|
```graphql
|
|
# Client Management
|
|
type Mutation {
|
|
createClient(input: CreateClientInput!): Client!
|
|
updateClient(id: ID!, input: UpdateClientInput!): Client!
|
|
deleteClient(id: ID!): Boolean!
|
|
}
|
|
|
|
type Query {
|
|
client(id: ID!): Client
|
|
clients(filter: ClientFilter): [Client!]!
|
|
}
|
|
|
|
# Billing
|
|
type Query {
|
|
billing(clientId: ID!, timeRange: TimeRange!): BillingData!
|
|
invoices(clientId: ID!, filter: InvoiceFilter): [Invoice!]!
|
|
}
|
|
|
|
type Mutation {
|
|
createInvoice(clientId: ID!, period: BillingPeriod!): Invoice!
|
|
processPayment(invoiceId: ID!, payment: PaymentInput!): Payment!
|
|
}
|
|
```
|
|
|
|
#### Data Model Extensions
|
|
|
|
```graphql
|
|
type Client {
|
|
id: ID!
|
|
name: String!
|
|
legalEntity: LegalEntity!
|
|
contract: Contract
|
|
invoicingConfig: InvoicingConfig!
|
|
paymentInstruments: [PaymentInstrument!]!
|
|
costCenters: [CostCenter!]!
|
|
tenants: [Tenant!]!
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
|
|
type BillingData {
|
|
client: Client!
|
|
totalCost: Float!
|
|
currency: String!
|
|
period: TimeRange!
|
|
bySubscription: [SubscriptionCost!]!
|
|
byCostCenter: [CostCenterCost!]!
|
|
}
|
|
```
|
|
|
|
### Tenancy Plane MVP
|
|
|
|
#### Core Features
|
|
|
|
**Tenant Entity:**
|
|
- Create, read, update, delete Tenant
|
|
- Primary domain management
|
|
- Keycloak realm integration (automatic 1:1)
|
|
- RBAC namespace
|
|
- Data residency flags
|
|
- Compliance profile
|
|
|
|
**Identity:**
|
|
- Keycloak realm creation per Tenant
|
|
- Basic identity provider configuration
|
|
- User management (via Keycloak)
|
|
|
|
**Security:**
|
|
- Tenant as security boundary
|
|
- Network isolation per Tenant
|
|
- RBAC namespace isolation
|
|
|
|
#### Required APIs
|
|
|
|
```graphql
|
|
# Tenant Management
|
|
type Mutation {
|
|
createTenant(input: CreateTenantInput!): Tenant!
|
|
updateTenant(id: ID!, input: UpdateTenantInput!): Tenant!
|
|
deleteTenant(id: ID!): Boolean!
|
|
}
|
|
|
|
type Query {
|
|
tenant(id: ID!): Tenant
|
|
tenants(filter: TenantFilter): [Tenant!]!
|
|
}
|
|
|
|
# Identity
|
|
type Mutation {
|
|
configureIdentityProvider(tenantId: ID!, provider: IdentityProviderInput!): IdentityProvider!
|
|
syncKeycloakRealm(tenantId: ID!): KeycloakRealm!
|
|
}
|
|
```
|
|
|
|
#### Data Model Extensions
|
|
|
|
```graphql
|
|
type Tenant {
|
|
id: ID!
|
|
name: String!
|
|
primaryDomains: [String!]!
|
|
identityProvider: IdentityProvider!
|
|
rbacNamespace: String!
|
|
dataResidencyFlags: [DataResidencyFlag!]!
|
|
complianceProfile: ComplianceProfile!
|
|
client: Client!
|
|
subscriptions: [Subscription!]!
|
|
keycloakRealmId: String
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
```
|
|
|
|
### Subscription Plane MVP
|
|
|
|
#### Core Features
|
|
|
|
**Subscription Entity:**
|
|
- Create, read, update, delete Subscription
|
|
- Service bundles (compute, storage, networking)
|
|
- Quotas and limits
|
|
- Policy packs (security, networking)
|
|
- Subscription types (Product, Sandbox)
|
|
|
|
**Quotas:**
|
|
- Compute quotas (vCPU, memory, instances)
|
|
- Storage quotas (total, per-instance)
|
|
- Network quotas (bandwidth, egress)
|
|
|
|
**Policy Packs:**
|
|
- Security policies
|
|
- Networking policies
|
|
- Basic data access policies
|
|
|
|
#### Required APIs
|
|
|
|
```graphql
|
|
# Subscription Management
|
|
type Mutation {
|
|
createSubscription(input: CreateSubscriptionInput!): Subscription!
|
|
updateSubscription(id: ID!, input: UpdateSubscriptionInput!): Subscription!
|
|
deleteSubscription(id: ID!): Boolean!
|
|
}
|
|
|
|
type Query {
|
|
subscription(id: ID!): Subscription
|
|
subscriptions(filter: SubscriptionFilter): [Subscription!]!
|
|
}
|
|
|
|
# Quotas
|
|
type Mutation {
|
|
updateQuotas(subscriptionId: ID!, quotas: QuotasInput!): Quotas!
|
|
checkQuota(subscriptionId: ID!, resource: ResourceType!): QuotaStatus!
|
|
}
|
|
```
|
|
|
|
#### Data Model Extensions
|
|
|
|
```graphql
|
|
type Subscription {
|
|
id: ID!
|
|
name: String!
|
|
tenant: Tenant!
|
|
client: Client!
|
|
type: SubscriptionType!
|
|
serviceBundles: [ServiceBundle!]!
|
|
quotas: Quotas!
|
|
limits: Limits!
|
|
policyPacks: [PolicyPack!]!
|
|
environments: [Environment!]!
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
|
|
enum SubscriptionType {
|
|
PRODUCT
|
|
SANDBOX
|
|
}
|
|
```
|
|
|
|
### Environment Plane MVP
|
|
|
|
#### Core Features
|
|
|
|
**Environment Entity:**
|
|
- Create, read, update, delete Environment
|
|
- Environment types (DEV, INT, UAT, STAGING, PROD)
|
|
- Network isolation (basic)
|
|
- Data isolation (basic)
|
|
- Deployment policies (basic)
|
|
- Promotion flow (policy-driven)
|
|
|
|
**Promotion:**
|
|
- Policy-driven promotion between environments
|
|
- Basic approval workflows
|
|
- Automated promotion (DEV → INT → UAT)
|
|
- Manual approval (UAT → STAGING → PROD)
|
|
|
|
#### Required APIs
|
|
|
|
```graphql
|
|
# Environment Management
|
|
type Mutation {
|
|
createEnvironment(input: CreateEnvironmentInput!): Environment!
|
|
updateEnvironment(id: ID!, input: UpdateEnvironmentInput!): Environment!
|
|
deleteEnvironment(id: ID!): Boolean!
|
|
}
|
|
|
|
type Query {
|
|
environment(id: ID!): Environment
|
|
environments(filter: EnvironmentFilter): [Environment!]!
|
|
}
|
|
|
|
# Promotion
|
|
type Mutation {
|
|
promoteArtifact(input: PromoteArtifactInput!): PromotionResult!
|
|
approvePromotion(promotionId: ID!, approved: Boolean!): PromotionResult!
|
|
}
|
|
```
|
|
|
|
#### Data Model Extensions
|
|
|
|
```graphql
|
|
type Environment {
|
|
id: ID!
|
|
name: String!
|
|
type: EnvironmentType!
|
|
subscription: Subscription!
|
|
networkIsolation: NetworkIsolation!
|
|
dataIsolation: DataIsolation!
|
|
deploymentPolicies: [DeploymentPolicy!]!
|
|
promotionFlow: PromotionFlow
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
|
|
enum EnvironmentType {
|
|
DEV
|
|
INT
|
|
UAT
|
|
STAGING
|
|
PROD
|
|
REGULATED
|
|
SOVEREIGN
|
|
}
|
|
```
|
|
|
|
### Content & DevOps Plane MVP
|
|
|
|
#### Core Features
|
|
|
|
**Content Hierarchy:**
|
|
- Enterprise, Portfolio, Product, Application, Component entities
|
|
- Basic ownership and governance
|
|
- Git repository mapping
|
|
|
|
**Git Integration:**
|
|
- Git repository management
|
|
- Branch strategy enforcement (basic)
|
|
- Protected branches (PROD)
|
|
|
|
**CI/CD Integration:**
|
|
- CI/CD pipeline integration
|
|
- Artifact registry integration
|
|
- Policy-driven promotion (basic)
|
|
- Basic approval workflows
|
|
|
|
#### Required APIs
|
|
|
|
```graphql
|
|
# Content Management
|
|
type Mutation {
|
|
createEnterprise(input: CreateEnterpriseInput!): Enterprise!
|
|
createPortfolio(input: CreatePortfolioInput!): Portfolio!
|
|
createProduct(input: CreateProductInput!): Product!
|
|
createApplication(input: CreateApplicationInput!): Application!
|
|
createComponent(input: CreateComponentInput!): Component!
|
|
}
|
|
|
|
type Query {
|
|
enterprise(id: ID!): Enterprise
|
|
portfolio(id: ID!): Portfolio
|
|
product(id: ID!): Product
|
|
application(id: ID!): Application
|
|
component(id: ID!): Component
|
|
}
|
|
|
|
# Git Integration
|
|
type Mutation {
|
|
createGitRepo(input: CreateGitRepoInput!): GitRepo!
|
|
configureBranchProtection(repoId: ID!, branch: String!, protection: BranchProtectionInput!): BranchProtection!
|
|
}
|
|
```
|
|
|
|
#### Data Model Extensions
|
|
|
|
```graphql
|
|
type Enterprise {
|
|
id: ID!
|
|
name: String!
|
|
portfolios: [Portfolio!]!
|
|
ownership: Ownership!
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
|
|
type Application {
|
|
id: ID!
|
|
name: String!
|
|
product: Product!
|
|
components: [Component!]!
|
|
gitRepos: [GitRepo!]!
|
|
ownership: Ownership!
|
|
createdAt: DateTime!
|
|
updatedAt: DateTime!
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
## Multi-Region MVP Requirements
|
|
|
|
### Basic Multi-Region Support
|
|
|
|
**In MVP:**
|
|
- ✅ Multi-region Tenant support (basic)
|
|
- ✅ Regional data residency flags
|
|
- ✅ Regional landing zones (basic)
|
|
- ⚠️ Cross-region coordination (basic)
|
|
- ❌ Federated governance (future)
|
|
|
|
**Not In MVP:**
|
|
- Advanced cross-region coordination
|
|
- Federated governance
|
|
- Multi-region promotion flows
|
|
- Cross-region audit aggregation
|
|
|
|
### Regional Landing Zones
|
|
|
|
**MVP Scope:**
|
|
- Basic landing zone per region
|
|
- Regional data residency enforcement
|
|
- Basic cross-region connectivity
|
|
- Regional compliance profiles
|
|
|
|
---
|
|
|
|
## Decentralized Architecture MVP
|
|
|
|
### Basic Decentralized Support
|
|
|
|
**In MVP:**
|
|
- ✅ Regional control plane deployment (basic)
|
|
- ✅ Event-driven coordination (basic)
|
|
- ⚠️ Federated identity (basic)
|
|
- ❌ Advanced federated governance (future)
|
|
|
|
**Not In MVP:**
|
|
- Advanced federated governance
|
|
- Cross-region conflict resolution
|
|
- Advanced eventual consistency
|
|
|
|
---
|
|
|
|
## Sovereign Government MVP Requirements
|
|
|
|
### Compliance Capabilities
|
|
|
|
**In MVP:**
|
|
- ✅ Compliance profiles (ISO, SOC, HIPAA)
|
|
- ✅ Basic audit logging
|
|
- ✅ Data residency flags
|
|
- ⚠️ REGULATED environment type
|
|
- ⚠️ SOVEREIGN environment type
|
|
- ❌ AIR-GAPPED environment type (future)
|
|
|
|
### Audit Capabilities
|
|
|
|
**In MVP:**
|
|
- ✅ Basic audit logging
|
|
- ✅ Access audit trails
|
|
- ✅ Deployment audit trails
|
|
- ⚠️ Cross-region audit aggregation (basic)
|
|
- ❌ Advanced audit analytics (future)
|
|
|
|
### Air-Gapped Support
|
|
|
|
**Not In MVP:**
|
|
- AIR-GAPPED environment type
|
|
- Complete network isolation
|
|
- Air-gapped deployment automation
|
|
|
|
**Future:**
|
|
- AIR-GAPPED environment type
|
|
- Air-gapped landing zones
|
|
- Air-gapped deployment automation
|
|
|
|
---
|
|
|
|
## Required APIs and Services
|
|
|
|
### Control Plane APIs
|
|
|
|
#### Commercial Plane API
|
|
- **Service**: `commercial-service`
|
|
- **Endpoints**: Client CRUD, Billing, Invoicing
|
|
- **Database**: PostgreSQL (clients, billing, invoices)
|
|
- **Integration**: Billing aggregation from Subscriptions
|
|
|
|
#### Tenancy Plane API
|
|
- **Service**: `tenancy-service`
|
|
- **Endpoints**: Tenant CRUD, Identity Provider Configuration
|
|
- **Database**: PostgreSQL (tenants, identity providers)
|
|
- **Integration**: Keycloak (realm management)
|
|
|
|
#### Subscription Plane API
|
|
- **Service**: `subscription-service`
|
|
- **Endpoints**: Subscription CRUD, Quota Management, Policy Packs
|
|
- **Database**: PostgreSQL (subscriptions, quotas, policies)
|
|
- **Integration**: Environment Plane (quota enforcement)
|
|
|
|
#### Environment Plane API
|
|
- **Service**: `environment-service`
|
|
- **Endpoints**: Environment CRUD, Promotion, Deployment
|
|
- **Database**: PostgreSQL (environments, promotions)
|
|
- **Integration**: Content & DevOps Plane (deployment), Infrastructure (resource provisioning)
|
|
|
|
#### Content & DevOps Plane API
|
|
- **Service**: `content-service`
|
|
- **Endpoints**: Content Hierarchy CRUD, Git Integration, CI/CD
|
|
- **Database**: PostgreSQL (enterprises, portfolios, products, applications, components)
|
|
- **Integration**: Git (repositories), CI/CD (pipelines), Environment Plane (deployment)
|
|
|
|
### Integration Services
|
|
|
|
#### Keycloak Integration
|
|
- **Service**: `keycloak-integration`
|
|
- **Function**: Tenant realm management, user sync
|
|
- **Integration**: Tenancy Plane API
|
|
|
|
#### Infrastructure Integration
|
|
- **Service**: `infrastructure-integration`
|
|
- **Function**: Proxmox, Kubernetes, Cloudflare integration
|
|
- **Integration**: Environment Plane API, Subscription Plane API
|
|
|
|
#### Git Integration
|
|
- **Service**: `git-integration`
|
|
- **Function**: Git repository management, branch protection
|
|
- **Integration**: Content & DevOps Plane API
|
|
|
|
#### CI/CD Integration
|
|
- **Service**: `cicd-integration`
|
|
- **Function**: CI/CD pipeline integration, artifact management
|
|
- **Integration**: Content & DevOps Plane API, Environment Plane API
|
|
|
|
---
|
|
|
|
## Data Model Extensions
|
|
|
|
### Database Schema Extensions
|
|
|
|
#### Clients Table
|
|
```sql
|
|
CREATE TABLE clients (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
legal_entity JSONB NOT NULL,
|
|
contract JSONB,
|
|
invoicing_config JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
```
|
|
|
|
#### Tenants Table
|
|
```sql
|
|
CREATE TABLE tenants (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
client_id UUID NOT NULL REFERENCES clients(id),
|
|
primary_domains TEXT[] NOT NULL,
|
|
identity_provider JSONB NOT NULL,
|
|
rbac_namespace VARCHAR(255) NOT NULL,
|
|
data_residency_flags JSONB[],
|
|
compliance_profile JSONB,
|
|
keycloak_realm_id VARCHAR(255),
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
```
|
|
|
|
#### Subscriptions Table
|
|
```sql
|
|
CREATE TABLE subscriptions (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
tenant_id UUID NOT NULL REFERENCES tenants(id),
|
|
client_id UUID NOT NULL REFERENCES clients(id),
|
|
type VARCHAR(50) NOT NULL,
|
|
service_bundles JSONB[] NOT NULL,
|
|
quotas JSONB NOT NULL,
|
|
limits JSONB NOT NULL,
|
|
policy_packs JSONB[],
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
```
|
|
|
|
#### Environments Table
|
|
```sql
|
|
CREATE TABLE environments (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
subscription_id UUID NOT NULL REFERENCES subscriptions(id),
|
|
type VARCHAR(50) NOT NULL,
|
|
network_isolation JSONB NOT NULL,
|
|
data_isolation JSONB NOT NULL,
|
|
deployment_policies JSONB[],
|
|
promotion_flow JSONB,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
```
|
|
|
|
#### Content Hierarchy Tables
|
|
```sql
|
|
CREATE TABLE enterprises (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
ownership JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE portfolios (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
enterprise_id UUID NOT NULL REFERENCES enterprises(id),
|
|
ownership JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE products (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
portfolio_id UUID NOT NULL REFERENCES portfolios(id),
|
|
ownership JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE applications (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
product_id UUID NOT NULL REFERENCES products(id),
|
|
ownership JSONB NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
|
|
CREATE TABLE components (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
name VARCHAR(255) NOT NULL,
|
|
application_id UUID NOT NULL REFERENCES applications(id),
|
|
content_type VARCHAR(50) NOT NULL,
|
|
content JSONB NOT NULL,
|
|
version VARCHAR(50) NOT NULL,
|
|
created_at TIMESTAMP DEFAULT NOW(),
|
|
updated_at TIMESTAMP DEFAULT NOW()
|
|
);
|
|
```
|
|
|
|
### GraphQL Schema Extensions
|
|
|
|
See `docs/phoenix/OPERATING_MODEL.md` for complete GraphQL schema definitions.
|
|
|
|
---
|
|
|
|
## Implementation Priorities
|
|
|
|
### Priority 1: Core Entities (Weeks 1-2)
|
|
|
|
1. **Commercial Plane**
|
|
- Client entity
|
|
- Basic billing aggregation
|
|
- Invoice generation
|
|
|
|
2. **Tenancy Plane**
|
|
- Tenant entity
|
|
- Keycloak integration
|
|
- Basic RBAC
|
|
|
|
3. **Subscription Plane**
|
|
- Subscription entity
|
|
- Basic quotas
|
|
- Policy packs
|
|
|
|
4. **Environment Plane**
|
|
- Environment entity
|
|
- Basic isolation
|
|
- Promotion flow
|
|
|
|
5. **Content & DevOps Plane**
|
|
- Content hierarchy
|
|
- Git integration
|
|
- Basic CI/CD
|
|
|
|
### Priority 2: Integration (Weeks 3-4)
|
|
|
|
1. **Keycloak Integration**
|
|
- Realm creation per Tenant
|
|
- User sync
|
|
- Identity provider configuration
|
|
|
|
2. **Infrastructure Integration**
|
|
- Proxmox integration
|
|
- Kubernetes integration
|
|
- Cloudflare integration
|
|
|
|
3. **Git Integration**
|
|
- Repository management
|
|
- Branch protection
|
|
- CI/CD integration
|
|
|
|
### Priority 3: Advanced Features (Weeks 5-6)
|
|
|
|
1. **Multi-Region Support**
|
|
- Regional landing zones
|
|
- Cross-region coordination
|
|
- Regional data residency
|
|
|
|
2. **Compliance**
|
|
- Compliance profiles
|
|
- Audit logging
|
|
- REGULATED/SOVEREIGN environments
|
|
|
|
3. **Advanced Promotion**
|
|
- Approval workflows
|
|
- Policy validation
|
|
- Automated promotion
|
|
|
|
---
|
|
|
|
## Dependencies Between Features
|
|
|
|
### Dependency Graph
|
|
|
|
```
|
|
Client Entity
|
|
└── Tenant Entity (requires Client)
|
|
└── Subscription Entity (requires Tenant)
|
|
└── Environment Entity (requires Subscription)
|
|
└── Content Deployment (requires Environment)
|
|
|
|
Keycloak Integration
|
|
└── Tenant Entity (requires Keycloak)
|
|
|
|
Infrastructure Integration
|
|
└── Environment Entity (requires Infrastructure)
|
|
|
|
Git Integration
|
|
└── Content Hierarchy (requires Git)
|
|
|
|
CI/CD Integration
|
|
└── Git Integration (requires CI/CD)
|
|
└── Environment Entity (requires CI/CD)
|
|
```
|
|
|
|
### Critical Path
|
|
|
|
1. **Week 1**: Client, Tenant, Subscription entities
|
|
2. **Week 2**: Environment entity, Keycloak integration
|
|
3. **Week 3**: Content hierarchy, Git integration
|
|
4. **Week 4**: Infrastructure integration, CI/CD integration
|
|
5. **Week 5**: Multi-region support, compliance
|
|
6. **Week 6**: Advanced features, testing, documentation
|
|
|
|
---
|
|
|
|
## Risk Assessment Per Feature
|
|
|
|
### High Risk Features
|
|
|
|
1. **Keycloak Integration**
|
|
- Risk: Realm creation and sync complexity
|
|
- Mitigation: Phased rollout, extensive testing
|
|
|
|
2. **Multi-Region Support**
|
|
- Risk: Cross-region coordination complexity
|
|
- Mitigation: Start with basic support, expand gradually
|
|
|
|
3. **Promotion Flow**
|
|
- Risk: Policy validation complexity
|
|
- Mitigation: Start with basic policies, expand gradually
|
|
|
|
### Medium Risk Features
|
|
|
|
1. **Billing Aggregation**
|
|
- Risk: Performance with large datasets
|
|
- Mitigation: Efficient aggregation algorithms, caching
|
|
|
|
2. **Infrastructure Integration**
|
|
- Risk: Integration complexity with multiple systems
|
|
- Mitigation: Well-defined integration patterns, testing
|
|
|
|
### Low Risk Features
|
|
|
|
1. **Content Hierarchy**
|
|
- Risk: Low - standard CRUD operations
|
|
- Mitigation: Standard implementation patterns
|
|
|
|
2. **Basic Quotas**
|
|
- Risk: Low - standard quota management
|
|
- Mitigation: Standard implementation patterns
|
|
|
|
---
|
|
|
|
## Integration with Existing Infrastructure
|
|
|
|
### Proxmox Integration
|
|
|
|
**MVP Scope:**
|
|
- Environment → Proxmox resource pool mapping
|
|
- Subscription → Proxmox quota mapping
|
|
- Tenant → Proxmox access control mapping
|
|
|
|
**Integration Points:**
|
|
- Proxmox API for resource provisioning
|
|
- Proxmox quota management
|
|
- Proxmox access control
|
|
|
|
### Kubernetes Integration
|
|
|
|
**MVP Scope:**
|
|
- Environment → Kubernetes namespace mapping
|
|
- Subscription → Kubernetes ResourceQuota mapping
|
|
- Tenant → Kubernetes RBAC namespace mapping
|
|
|
|
**Integration Points:**
|
|
- Kubernetes API for namespace management
|
|
- Kubernetes ResourceQuota API
|
|
- Kubernetes RBAC API
|
|
|
|
### Keycloak Integration
|
|
|
|
**MVP Scope:**
|
|
- Tenant → Keycloak realm (1:1)
|
|
- Identity provider configuration
|
|
- User sync
|
|
|
|
**Integration Points:**
|
|
- Keycloak Admin API
|
|
- Keycloak Realm API
|
|
- Keycloak Identity Provider API
|
|
|
|
### Cloudflare Integration
|
|
|
|
**MVP Scope:**
|
|
- Tenant → Cloudflare Access Policy mapping
|
|
- Environment → Cloudflare Tunnel mapping
|
|
- Region → Cloudflare Tunnel endpoint mapping
|
|
|
|
**Integration Points:**
|
|
- Cloudflare API for Access Policies
|
|
- Cloudflare Tunnel API
|
|
- Cloudflare Zero Trust API
|
|
|
|
### ArgoCD Integration
|
|
|
|
**MVP Scope:**
|
|
- Application → ArgoCD Application mapping
|
|
- Environment → ArgoCD Target Environment mapping
|
|
- Subscription → ArgoCD Resource Quota mapping
|
|
|
|
**Integration Points:**
|
|
- ArgoCD API for Application management
|
|
- ArgoCD API for Environment configuration
|
|
- ArgoCD API for Resource Quota management
|
|
|
|
---
|
|
|
|
## Success Criteria for MVP
|
|
|
|
### Functional Criteria
|
|
|
|
1. ✅ All five control planes operational
|
|
2. ✅ Core entities (Client, Tenant, Subscription, Environment, Content) functional
|
|
3. ✅ Keycloak integration working (1:1 Tenant to Realm)
|
|
4. ✅ Basic infrastructure integration (Proxmox, Kubernetes)
|
|
5. ✅ Basic CI/CD integration
|
|
6. ✅ Policy-driven promotion working
|
|
7. ✅ Basic multi-region support
|
|
8. ✅ Basic compliance support
|
|
|
|
### Performance Criteria
|
|
|
|
1. ✅ API response times < 200ms (p95)
|
|
2. ✅ Billing aggregation completes in < 5 seconds
|
|
3. ✅ Tenant creation completes in < 30 seconds
|
|
4. ✅ Environment provisioning completes in < 2 minutes
|
|
|
|
### Security Criteria
|
|
|
|
1. ✅ All APIs authenticated and authorized
|
|
2. ✅ Tenant isolation enforced
|
|
3. ✅ Audit logging functional
|
|
4. ✅ Data residency flags enforced
|
|
|
|
### Compliance Criteria
|
|
|
|
1. ✅ Compliance profiles functional
|
|
2. ✅ Audit trails complete
|
|
3. ✅ REGULATED and SOVEREIGN environments supported
|
|
|
|
---
|
|
|
|
## Next Steps After MVP
|
|
|
|
1. **Advanced Features**
|
|
- AIR-GAPPED environment type
|
|
- Advanced federated identity
|
|
- Advanced chargeback
|
|
- Innovation Subscription type
|
|
|
|
2. **Enhanced Multi-Region**
|
|
- Advanced cross-region coordination
|
|
- Federated governance
|
|
- Multi-region promotion flows
|
|
|
|
3. **Advanced Compliance**
|
|
- Automated compliance checking
|
|
- Advanced audit analytics
|
|
- Blockchain integration (optional)
|
|
|
|
4. **Performance Optimization**
|
|
- Caching strategies
|
|
- Database optimization
|
|
- API performance tuning
|
|
|
|
---
|
|
|
|
## References
|
|
|
|
### Phoenix Operating Model Documentation
|
|
|
|
- **[Operating Model](./OPERATING_MODEL.md)** - Core operating model documentation
|
|
- **[Architecture Diagrams](./OPERATING_MODEL_DIAGRAMS.md)** - Visual diagrams of the operating model
|
|
- **[Cloud Provider Mapping](./CLOUD_PROVIDER_MAPPING.md)** - Azure/AWS mapping and competitive analysis
|
|
- **[Multi-Region Landing Zones](./MULTI_REGION_LANDING_ZONES.md)** - Landing zone patterns and deployment
|
|
- **[Migration Guide](./MIGRATION_GUIDE.md)** - Migration from existing systems and cloud providers
|
|
|
|
### Architecture Documentation
|
|
|
|
- **[Data Model](../architecture/data-model.md)** - GraphQL schema and data model
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-01-09
|
|
**Version**: 1.0
|
|
**Status**: MVP Control Plane Specification Complete
|
|
|