Files
Sankofa/docs/phoenix/OPERATING_MODEL.md
defiQUG 33d50fb91e
Some checks failed
API CI / API Lint (push) Successful in 47s
API CI / API Type Check (push) Failing after 47s
API CI / API Test (push) Successful in 1m0s
API CI / API Build (push) Failing after 50s
API CI / Build Docker Image (push) Has been skipped
Build Crossplane Provider / build (push) Failing after 5m51s
CD Pipeline / Deploy to Staging (push) Failing after 29s
CI Pipeline / Lint and Type Check (push) Failing after 36s
CI Pipeline / Build (push) Has been skipped
CI Pipeline / Test Backend (push) Failing after 1m33s
CI Pipeline / Test Frontend (push) Failing after 30s
CI Pipeline / Security Scan (push) Failing after 1m16s
Crossplane Provider CI / Go Test (push) Failing after 3m23s
Crossplane Provider CI / Go Lint (push) Failing after 7m27s
Crossplane Provider CI / Go Build (push) Failing after 3m27s
Deploy to Staging / Deploy to Staging (push) Failing after 30s
Portal CI / Portal Lint (push) Failing after 21s
Portal CI / Portal Type Check (push) Failing after 21s
Portal CI / Portal Test (push) Failing after 21s
Portal CI / Portal Build (push) Failing after 22s
Test Suite / frontend-tests (push) Failing after 30s
Test Suite / api-tests (push) Failing after 49s
Test Suite / blockchain-tests (push) Failing after 30s
Type Check / type-check (map[directory:. name:root]) (push) Failing after 23s
Type Check / type-check (map[directory:api name:api]) (push) Failing after 21s
Type Check / type-check (map[directory:portal name:portal]) (push) Failing after 19s
Validate Configuration Files / validate (push) Failing after 1m52s
CD Pipeline / Deploy to Production (push) Has been skipped
chore: consolidate local WIP (repo cleanup 20260707)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-07 09:41:34 -07:00

44 KiB
Raw Blame History

Phoenix Operating Model

Sankofa Phoenix Cloud Services — Enterprise-Grade Operating Model for Sovereign Governments


Executive Summary

Phoenix (Sankofa Cloud Services) is a competing cloud services offering purpose-built to service international and multi-national Sovereign Governments and their contractors. Phoenix competes directly with Azure, AWS, and other cloud service providers while offering superior capabilities for sovereign deployments.

This operating model separates commercial governance, technical tenancy, and content/devops control while enabling clean interoperability across distributed, multi-region deployments. The model is designed to support:

  • International and multi-national sovereign governments requiring multi-region landing zones
  • Decentralized architecture supporting distributed sovereignty
  • Clouds for sovereignty with regional data residency and compliance
  • Enterprise-scale multi-tenancy superior to Azure and AWS

This document is suitable for:

  • Architecture decks
  • Product specifications
  • Client-facing enterprise offering memos
  • Implementation guides

Core Management Layers (Separation of Concerns)

Phoenix is structured around five orthogonal but linked control planes, each with its own hierarchy and access model. Planes reference each other through IDs—not shared control.

The Five Control Planes

  1. Commercial Plane Who pays
  2. Tenancy Plane Who owns domains & identity
  3. Subscription Plane What is provisioned
  4. Environment Plane Where workloads run
  5. Content & DevOps Plane What is built, governed, and deployed

Design Principles

  • Orthogonal Design: Each plane operates independently
  • ID-Based References: Planes reference each other through IDs, not shared control
  • Separation of Concerns: Commercial, technical, and content concerns are separated
  • Clean Interoperability: Planes interoperate cleanly without tight coupling

I. Commercial Plane — Clients (Billing Profiles)

Purpose: Financial ownership, invoicing, entitlements, and contractual scope.

Entity: Client (Billing Profile)

A Client represents a legal entity that contracts with Phoenix for cloud services. It is the financial and contractual boundary for billing and invoicing.

Attributes

  • Legal Entity: Legal name, registration number, jurisdiction
  • Contract & MSA: Master Service Agreement, contract terms, SLAs
  • Invoicing Configuration: Invoice format, frequency, currency, payment terms
  • Payment Instruments: Credit cards, bank accounts, purchase orders
  • Cost Centers / Departments: Internal cost allocation structure
  • Usage Aggregation & Chargeback: Aggregation of usage across all tenants, chargeback to internal departments

Entity Schema

type Client {
  id: ID!
  name: String!
  legalEntity: LegalEntity!
  contract: Contract
  msa: MSA
  invoicingConfig: InvoicingConfig!
  paymentInstruments: [PaymentInstrument!]!
  costCenters: [CostCenter!]!
  tenants: [Tenant!]!
  usageAggregation: UsageAggregation
  chargebackRules: [ChargebackRule!]!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type LegalEntity {
  name: String!
  registrationNumber: String
  jurisdiction: String!
  taxId: String
  address: Address!
}

type Contract {
  id: ID!
  client: Client!
  startDate: DateTime!
  endDate: DateTime
  terms: String!
  sla: SLA!
  status: ContractStatus!
}

type InvoicingConfig {
  format: InvoiceFormat!
  frequency: InvoiceFrequency!
  currency: String!
  paymentTerms: String!
  billingAddress: Address!
  emailRecipients: [String!]!
}

enum InvoiceFormat {
  PDF
  XML
  JSON
}

enum InvoiceFrequency {
  MONTHLY
  QUARTERLY
  ANNUAL
}

Key Rules

  1. A Client can own multiple Tenants

    • Rationale: A single legal entity (e.g., a government agency) may operate multiple domains/identities
    • Example: A defense contractor may have separate tenants for classified and unclassified work
    • Enforcement: Database foreign key constraint (Tenant.clientId → Client.id)
  2. A Tenant cannot span multiple Clients

    • Rationale: Billing and contractual boundaries must be clear
    • Example: A tenant cannot be shared between two different government agencies
    • Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
  3. Billing is never tied directly to environments or repos

    • Rationale: Billing operates at Client/Subscription level, not at operational level
    • Example: Costs are aggregated at Subscription level, not per environment or Git repository
    • Enforcement: Billing APIs only accept Client or Subscription IDs, not Environment or Content IDs

Relationship to Existing Billing System

The existing Phoenix billing system (documented in docs/tenants/BILLING_GUIDE.md) currently tracks billing at the Tenant level. The new operating model introduces Client as the billing boundary:

  • Migration Path: Existing tenants will be assigned to a default Client (or Clients can be created and tenants assigned)
  • Billing Aggregation: Client-level billing aggregates costs from all associated Tenants and Subscriptions
  • Backward Compatibility: Tenant-level billing queries remain available but aggregate to Client level

Multi-National Client Structures

For international sovereign governments:

  • Single Client, Multiple Tenants: One Client (the government) with multiple Tenants per nation/region
  • Multiple Clients, Coordinated Tenants: Separate Clients per nation with coordinated Tenant structures
  • Federated Billing: Cross-border billing aggregation while maintaining sovereignty

II. Tenancy Plane — Tenants (Domains)

Purpose: Identity, domain ownership, trust boundaries, and security isolation.

Entity: Tenant

A Tenant represents an identity and domain boundary. It is the security blast-radius boundary and owns all identity, domain, and security configuration.

Attributes

  • Primary Domain(s): One or more domains owned by the tenant (e.g., agency.gov, agency.sankofa.nexus)
  • Identity Provider: SSO configuration (Entra, Okta, Keycloak, etc.)
  • Global RBAC Namespace: Root namespace for all RBAC within the tenant
  • Data Residency / Sovereignty Flags: Regional data residency requirements, sovereignty flags
  • Compliance Profile: Compliance requirements (ISO, SOC, HIPAA, government-specific standards)
  • Multi-Region Support: Whether tenant spans multiple regions
  • Regional Data Residency Requirements: Per-region data residency rules
  • Cross-Border Governance Settings: Governance rules for cross-border operations

Entity Schema

type Tenant {
  id: ID!
  name: String!
  primaryDomains: [String!]!
  identityProvider: IdentityProvider!
  rbacNamespace: String!
  dataResidencyFlags: [DataResidencyFlag!]!
  complianceProfile: ComplianceProfile!
  client: Client!
  subscriptions: [Subscription!]!
  environments: [Environment!]!
  regions: [Region!]!
  keycloakRealmId: String
  multiRegionEnabled: Boolean!
  regionalDataResidency: [RegionalDataResidency!]!
  crossBorderGovernance: CrossBorderGovernance
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type IdentityProvider {
  type: IdentityProviderType!
  config: JSON!
  ssoEnabled: Boolean!
  mfaRequired: Boolean!
}

enum IdentityProviderType {
  KEYCLOAK
  AZURE_AD
  OKTA
  GOOGLE_WORKSPACE
  CUSTOM_SAML
  CUSTOM_OIDC
}

type ComplianceProfile {
  standards: [ComplianceStandard!]!
  certifications: [Certification!]!
  auditRequirements: [AuditRequirement!]!
}

enum ComplianceStandard {
  ISO_27001
  ISO_27017
  ISO_27018
  SOC_2
  SOC_3
  HIPAA
  PCI_DSS
  GDPR
  CCPA
  FEDRAMP
  ITAR
  CUSTOM
}

type DataResidencyFlag {
  region: Region!
  requirement: DataResidencyRequirement!
  enforcement: DataResidencyEnforcement!
}

enum DataResidencyRequirement {
  REQUIRED
  PREFERRED
  PROHIBITED
}

enum DataResidencyEnforcement {
  HARD
  SOFT
  ADVISORY
}

Key Rules

  1. One Tenant → many Subscriptions

    • Rationale: A tenant can have multiple service subscriptions
    • Example: A tenant may have separate subscriptions for compute, data, and AI services
    • Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
  2. One Tenant → many Environments

    • Rationale: Environments are scoped to tenants for security isolation
    • Example: A tenant may have DEV, STAGING, and PROD environments
    • Enforcement: Environment belongs to Subscription, which belongs to Tenant
  3. Tenant is the security blast-radius boundary

    • Rationale: Security incidents are contained within tenant boundaries
    • Example: A compromised tenant cannot access another tenant's resources
    • Enforcement: Network isolation, RBAC namespace isolation, data isolation

Relationship to Existing Tenant Management

The existing Phoenix tenant management (documented in docs/tenants/TENANT_MANAGEMENT.md) aligns with this model:

  • Tenant Tiers: FREE, STANDARD, ENTERPRISE, SOVEREIGN map to Subscription types
  • Keycloak Integration: Each tenant gets a Keycloak realm (when KEYCLOAK_MULTI_REALM=true)
  • Custom Domains: Tenant primary domains support custom domain configuration
  • Quotas: Tenant quotas map to Subscription quotas and limits

Keycloak Realm Mapping

  • One Tenant = One Keycloak Realm: Each tenant has its own Keycloak realm for complete identity isolation
  • Realm Name: Typically matches Tenant ID or primary domain
  • Federated Identity: Tenants can federate with external identity providers (Entra, Okta, etc.)

Multi-National Tenant Structures

For international sovereign governments:

  • Per-Nation Tenants: Separate tenant per nation with coordinated governance
  • Federated Tenants: Tenants that share identity federation but maintain isolation
  • Cross-Border Tenants: Tenants that span multiple nations with regional data residency

III. Subscription Plane — Subscriptions

Purpose: Logical containers for services, quotas, and spend.

Entity: Subscription

A Subscription represents a service bundle provisioned to a tenant. It defines what services are available, quotas, limits, and cost tracking.

Attributes

  • Service Bundles: Compute, data, AI, storage, networking, etc.
  • Quotas & Limits: Resource quotas, rate limits, capacity limits
  • Cost Tracking: Cost aggregation, budget tracking, spending alerts
  • Policy Packs: Security policies, networking policies, data access policies
  • Feature Entitlements: Enabled features, beta features, premium features
  • Multi-Region Subscriptions: Whether subscription spans multiple regions

Entity Schema

type Subscription {
  id: ID!
  name: String!
  tenant: Tenant!
  client: Client!
  type: SubscriptionType!
  serviceBundles: [ServiceBundle!]!
  quotas: Quotas
  limits: Limits
  costTracking: CostTracking!
  policyPacks: [PolicyPack!]!
  featureEntitlements: [FeatureEntitlement!]!
  environments: [Environment!]!
  regions: [Region!]!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

enum SubscriptionType {
  SHARED_PLATFORM
  PRODUCT
  SANDBOX
  INNOVATION
}

type ServiceBundle {
  service: ServiceType!
  enabled: Boolean!
  quotas: ServiceQuotas
  limits: ServiceLimits
}

enum ServiceType {
  COMPUTE
  STORAGE
  NETWORKING
  DATABASE
  AI_ML
  ANALYTICS
  SECURITY
  MONITORING
  BACKUP
}

type Quotas {
  compute: ComputeQuotas
  storage: StorageQuotas
  network: NetworkQuotas
  custom: JSON
}

type ComputeQuotas {
  vcpu: Int
  memory: Int # GB
  instances: Int
  gpu: Int
}

type PolicyPack {
  name: String!
  type: PolicyPackType!
  policies: [Policy!]!
  enforcement: PolicyEnforcement!
}

enum PolicyPackType {
  SECURITY
  NETWORKING
  DATA_ACCESS
  COMPLIANCE
  CUSTOM
}

enum PolicyEnforcement {
  HARD
  SOFT
  ADVISORY
}

Subscription Types

  1. Shared Platform Subscription

    • Purpose: Shared infrastructure and platform services
    • Use Cases: Common platform services, shared networking, centralized monitoring
    • Characteristics: Shared resources, cost-efficient, managed by platform team
  2. Product Subscriptions

    • Purpose: Dedicated resources for specific products or applications
    • Use Cases: Production workloads, customer-facing applications
    • Characteristics: Dedicated resources, higher quotas, production SLAs
  3. Sandbox / Innovation Subscriptions

    • Purpose: Experimental and development environments
    • Use Cases: Proof of concepts, experimentation, learning
    • Characteristics: Lower quotas, relaxed policies, cost-optimized

Key Rules

  1. Subscriptions live inside a Tenant

    • Rationale: Subscriptions inherit tenant identity and security boundaries
    • Example: All subscriptions for a tenant share the same identity provider
    • Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
  2. Subscriptions are mapped to one Client billing profile

    • Rationale: Billing aggregation happens at Client level
    • Example: All subscription costs for a tenant roll up to the tenant's Client
    • Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)

Multi-Region Subscription Patterns

  • Regional Subscriptions: Separate subscription per region for regional data residency
  • Global Subscriptions: Single subscription spanning multiple regions
  • Hybrid Subscriptions: Mix of regional and global services

IV. Environment Plane — Environments

Purpose: Operational isolation for lifecycle stages.

Entity: Environment

An Environment represents a lifecycle stage where workloads run. It provides network isolation, data isolation, and deployment policies.

Attributes

  • Network Isolation: Network boundaries, firewall rules, network policies
  • Data Isolation: Data boundaries, encryption, access controls
  • Deployment Policies: Deployment rules, approval workflows, promotion policies
  • Runtime Secrets: Secrets management, key rotation, access controls
  • Compliance Overlays: Compliance requirements specific to environment
  • Regional Scope: Region where environment is deployed

Entity Schema

type Environment {
  id: ID!
  name: String!
  type: EnvironmentType!
  subscription: Subscription!
  networkIsolation: NetworkIsolation!
  dataIsolation: DataIsolation!
  deploymentPolicies: [DeploymentPolicy!]!
  runtimeSecrets: [Secret!]!
  complianceOverlays: [ComplianceOverlay!]!
  region: Region
  promotionFlow: PromotionFlow
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

enum EnvironmentType {
  DEV
  INT
  UAT
  STAGING
  PROD
  REGULATED
  SOVEREIGN
  AIR_GAPPED
}

type NetworkIsolation {
  vpcId: String
  subnetIds: [String!]!
  firewallRules: [FirewallRule!]!
  networkPolicies: [NetworkPolicy!]!
  allowedConnections: [NetworkConnection!]!
}

type DataIsolation {
  encryptionAtRest: Boolean!
  encryptionInTransit: Boolean!
  accessControls: [AccessControl!]!
  dataBoundaries: [DataBoundary!]!
}

type DeploymentPolicy {
  name: String!
  type: DeploymentPolicyType!
  rules: [DeploymentRule!]!
  approvalRequired: Boolean!
  approvers: [String!]!
}

enum DeploymentPolicyType {
  AUTOMATED
  MANUAL_APPROVAL
  POLICY_DRIVEN
  SCHEDULED
}

type PromotionFlow {
  fromEnvironment: Environment
  toEnvironment: Environment!
  policies: [PromotionPolicy!]!
  approvalRequired: Boolean!
  automated: Boolean!
}

Environment Types

Standard Environments

  1. DEV (Development)

    • Purpose: Developer workstations and development workloads
    • Characteristics: Relaxed policies, high developer access, cost-optimized
    • Access: Developers, DevOps engineers
  2. INT (Integration)

    • Purpose: Integration testing and component testing
    • Characteristics: Moderate policies, limited access, test data
    • Access: QA engineers, integration testers
  3. UAT (User Acceptance Testing)

    • Purpose: User acceptance testing and validation
    • Characteristics: Production-like policies, business user access, production-like data
    • Access: Business users, QA engineers
  4. STAGING

    • Purpose: Pre-production validation and final testing
    • Characteristics: Production-equivalent policies, limited access, production data copies
    • Access: Release managers, senior engineers
  5. PROD (Production)

    • Purpose: Production workloads serving end users
    • Characteristics: Strictest policies, minimal access, production data
    • Access: Operators, on-call engineers (read-only for most)

Specialized Environments

  1. REGULATED

    • Purpose: Regulated workloads requiring specific compliance
    • Characteristics: Enhanced compliance overlays, audit logging, restricted access
    • Use Cases: Healthcare (HIPAA), Finance (PCI-DSS), Government (FedRAMP)
  2. SOVEREIGN

    • Purpose: Sovereign workloads requiring data residency
    • Characteristics: Regional data residency, sovereignty flags, cross-border restrictions
    • Use Cases: Government data, national security, sovereign cloud deployments
  3. AIR-GAPPED

    • Purpose: Classified workloads with no external connectivity
    • Characteristics: Complete network isolation, no internet access, physical security
    • Use Cases: Classified government systems, critical infrastructure

Key Rules

  1. Environments belong to Subscriptions

    • Rationale: Environments inherit subscription quotas and policies
    • Example: PROD environment uses Product Subscription quotas
    • Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
  2. Promotion flows are policy-driven, not manual

    • Rationale: Automated, auditable promotion reduces human error
    • Example: Code promotion from DEV → STAGING → PROD follows defined policies
    • Enforcement: PromotionFlow policies are enforced by CI/CD pipelines
  3. PROD access is always the most restricted

    • Rationale: Production environments require highest security
    • Example: PROD requires MFA, approval workflows, and audit logging
    • Enforcement: RBAC policies enforce stricter access controls for PROD environments

Multi-Region Environment Patterns

  • Regional Environments: Separate environment per region for data residency
  • Global Environments: Single environment spanning multiple regions
  • Hybrid Environments: Mix of regional and global components

V. Content & DevOps Plane (Separate but Integrated)

Purpose: What is built, governed, and deployed—separate from billing and tenancy.

This plane is intentionally not embedded into billing or tenancy. It operates independently but integrates with the other planes through IDs.

A. Enterprise Content Management Hierarchy

Entity Model

Enterprise
 └── Portfolio
     └── Product / Program
         └── Application / Service
             └── Component / Module

Entity Schema

type Enterprise {
  id: ID!
  name: String!
  portfolios: [Portfolio!]!
  ownership: Ownership!
  governance: Governance!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type Portfolio {
  id: ID!
  name: String!
  enterprise: Enterprise!
  products: [Product!]!
  ownership: Ownership!
  governance: Governance!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type Product {
  id: ID!
  name: String!
  portfolio: Portfolio!
  applications: [Application!]!
  ownership: Ownership!
  governance: Governance!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type Application {
  id: ID!
  name: String!
  product: Product!
  components: [Component!]!
  gitRepos: [GitRepo!]!
  ownership: Ownership!
  governance: Governance!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

type Component {
  id: ID!
  name: String!
  application: Application!
  contentType: ContentType!
  content: Content!
  ownership: Ownership!
  governance: Governance!
  version: String!
  lineage: [LineageEntry!]!
  createdAt: DateTime!
  updatedAt: DateTime!
  metadata: JSON
}

enum ContentType {
  SOURCE_CODE
  IAC
  PIPELINE
  CONFIG_TEMPLATE
  DOCUMENTATION
  DATA_SCHEMA
  AI_MODEL
  PROMPT
}

type Ownership {
  owner: String!
  team: String
  department: String
  contact: String
}

type Governance {
  approvalWorkflows: [ApprovalWorkflow!]!
  complianceTags: [ComplianceTag!]!
  accessControls: [AccessControl!]!
  retentionPolicies: [RetentionPolicy!]!
}

type ApprovalWorkflow {
  name: String!
  steps: [ApprovalStep!]!
  required: Boolean!
}

type ApprovalStep {
  approver: String!
  role: String!
  timeout: Int
}

Content Types

  1. Source Code: Application source code, libraries, dependencies
  2. IaC (Infrastructure as Code): Terraform, Pulumi, Bicep, CloudFormation
  3. Pipelines: CI/CD pipeline definitions, workflow configurations
  4. Configuration Templates: Environment configs, deployment templates
  5. Documentation: Technical docs, runbooks, architecture diagrams
  6. Data Schemas: Database schemas, data models, API schemas
  7. AI Models / Prompts: ML models, AI prompts, training data

Governance

  • Ownership at Each Level: Clear ownership from Enterprise to Component
  • Approval Workflows: Required approvals for changes at each level
  • Compliance Tagging: Compliance tags for regulatory requirements
  • Versioning & Lineage: Complete version history and lineage tracking

B. Git & DevOps Integration Model

Git Structure

Enterprise Git Organization:

  • Repositories mapped to Product / Service level
  • Branch strategy enforced by policy
  • Protected branches for regulated environments
  • Multi-region Git repository patterns

Repository Mapping:

Enterprise Git Org
 ├── portfolio-1/
 │   ├── product-a/
 │   │   ├── application-1/ (repo)
 │   │   └── application-2/ (repo)
 │   └── product-b/
 │       └── application-3/ (repo)
 └── portfolio-2/
     └── product-c/
         └── application-4/ (repo)

Branch Strategy:

  • main/master: Production-ready code
  • develop: Integration branch
  • feature/*: Feature branches
  • release/*: Release branches
  • hotfix/*: Production hotfixes

Protected Branches:

  • PROD environments: Require approval, no direct pushes
  • REGULATED environments: Additional compliance checks
  • SOVEREIGN environments: Regional approval requirements

CI/CD Integration

Environment-Aware Pipelines:

  • Pipelines detect target environment from branch or configuration
  • Environment-specific policies are applied automatically
  • Deployment requires explicit environment selection

Deployment Requirements:

  1. Subscription Authorization: Pipeline verifies subscription has required services
  2. Environment Approval: Automated or manual approval based on environment type
  3. Policy Validation: Security, compliance, and governance policies are validated

GitOps for Infrastructure:

  • Infrastructure changes via Git commits
  • ArgoCD syncs Git state to infrastructure
  • Crossplane provisions infrastructure resources
  • Integration with existing ArgoCD infrastructure (see gitops/README.md)

Promotion Flow

Standard Promotion Flow:

Code Commit
  ↓
CI (Test, Scan, Build)
  ↓
Artifact Registry
  ↓
Environment Promotion (Policy-Driven)
  ↓
Subscription Deployment

Policy-Driven Promotion:

  • Automated: DEV → INT → UAT (automated if tests pass)
  • Approval Required: UAT → STAGING (requires approval)
  • Strict Approval: STAGING → PROD (requires multiple approvals, compliance checks)

Critical Principle:

Git never directly deploys to PROD without environment + subscription authorization.

Enforcement:

  • CI/CD pipelines check environment type
  • PROD deployments require:
    • Subscription authorization
    • Environment approval workflow
    • Policy validation (security, compliance)
    • Audit logging

Multi-Region Promotion:

  • Regional promotion flows for data residency
  • Cross-region promotion with governance approval
  • Sovereign promotion with regional compliance checks

VI. Hierarchical Access Model (RBAC)

Access Roles by Plane

1. Commercial Access

  • Finance Admin: Full access to Client billing, invoicing, payment instruments
  • Billing Viewer: Read-only access to billing and cost data
  • Cost Center Owner: Access to specific cost center data and chargeback

2. Tenant Access

  • Tenant Owner: Full control over tenant, identity, domains, subscriptions
  • Security Admin: Security configuration, compliance, audit access
  • Identity Admin: Identity provider configuration, user management
  • Compliance Officer: Compliance configuration, audit, reporting

3. Subscription Access

  • Subscription Owner: Full control over subscription, quotas, policies
  • Platform Admin: Platform services administration
  • Service Operator: Service-specific operations
  • Read-only Auditor: Read-only access for auditing

4. Environment Access

  • Environment Owner: Full control over environment configuration
  • Release Manager: Promotion approval, release management
  • Operator: Runtime operations, monitoring, troubleshooting
  • Observer: Read-only access for monitoring

5. Content & DevOps Access

  • Enterprise Architect: Enterprise-level architecture decisions
  • Portfolio Lead: Portfolio-level governance and decisions
  • Product Owner: Product-level decisions and priorities
  • Dev Lead: Development team leadership
  • Contributor: Code contribution, development
  • Reviewer: Code review, approval
  • Release Approver: Release approval for production

Cross-Plane Access

Default Rule: No role crosses planes by default.

Explicit Delegation Required:

  • Cross-plane access must be explicitly granted
  • Delegation is audited and logged
  • Delegation can be time-limited or permanent

Delegation Mechanisms:

  • Role Delegation: Grant role from one plane to user in another plane
  • Temporary Access: Time-limited cross-plane access
  • Escalation: Emergency escalation procedures

Multi-Region RBAC

  • Regional Roles: Roles scoped to specific regions
  • Cross-Region Roles: Roles that span multiple regions (requires approval)
  • Federated RBAC: RBAC across federated tenants

Integration with Keycloak

  • Keycloak Roles: Phoenix roles map to Keycloak roles
  • Realm-Level Roles: Tenant-specific roles in Keycloak realm
  • Federated Roles: Roles from federated identity providers

VII. Key Rules and Constraints

Commercial Plane Rules

  1. A Client can own multiple Tenants

    • Rationale: Single legal entity may operate multiple domains/identities
    • Enforcement: Database foreign key (Tenant.clientId → Client.id)
  2. A Tenant cannot span multiple Clients

    • Rationale: Billing and contractual boundaries must be clear
    • Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
  3. Billing is never tied directly to environments or repos

    • Rationale: Billing operates at Client/Subscription level
    • Enforcement: Billing APIs only accept Client or Subscription IDs

Tenancy Plane Rules

  1. One Tenant → many Subscriptions

    • Rationale: Tenant can have multiple service subscriptions
    • Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
  2. One Tenant → many Environments

    • Rationale: Environments are scoped to tenants for security
    • Enforcement: Environment belongs to Subscription, which belongs to Tenant
  3. Tenant is the security blast-radius boundary

    • Rationale: Security incidents contained within tenant
    • Enforcement: Network isolation, RBAC namespace isolation, data isolation

Subscription Plane Rules

  1. Subscriptions live inside a Tenant

    • Rationale: Subscriptions inherit tenant identity and security
    • Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
  2. Subscriptions are mapped to one Client billing profile

    • Rationale: Billing aggregation at Client level
    • Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)

Environment Plane Rules

  1. Environments belong to Subscriptions

    • Rationale: Environments inherit subscription quotas and policies
    • Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
  2. Promotion flows are policy-driven, not manual

    • Rationale: Automated, auditable promotion reduces error
    • Enforcement: PromotionFlow policies enforced by CI/CD pipelines
  3. PROD access is always the most restricted

    • Rationale: Production requires highest security
    • Enforcement: RBAC policies enforce stricter access for PROD

Content & DevOps Plane Rules

  1. Git never directly deploys to PROD without environment + subscription authorization

    • Rationale: Production deployments require explicit authorization
    • Enforcement: CI/CD pipelines check environment type and require approvals
  2. Content hierarchy ownership is required at each level

    • Rationale: Clear ownership enables governance
    • Enforcement: Ownership fields are required in entity schemas

Cross-Plane Rules

  1. No role crosses planes by default

    • Rationale: Separation of concerns requires explicit cross-plane access
    • Enforcement: RBAC system enforces plane boundaries
  2. Cross-plane access requires explicit delegation

    • Rationale: Auditability and security require explicit delegation
    • Enforcement: Delegation must be recorded and audited

Violation Handling

  • Prevention: Database constraints prevent invalid relationships
  • Detection: Audit logs detect policy violations
  • Response: Automated alerts and manual review for violations
  • Remediation: Automated remediation where possible, manual intervention required for critical violations

VIII. Multi-Region and Multi-National Capabilities

Sovereign Cloud Deployments

Per-Region/Nation Sovereign Clouds:

  • Each region/nation can have its own sovereign cloud deployment
  • Complete data residency and sovereignty per region
  • Regional compliance and governance

Cross-Region Governance

Federated Governance:

  • Governance policies can span multiple regions
  • Cross-region coordination for multi-national operations
  • Regional autonomy with coordinated governance

Multi-National Tenant Structures

Per-Nation Tenants:

  • Separate tenant per nation with coordinated governance
  • Federated identity across nations
  • Cross-border data sharing with governance

Regional Data Residency

Data Residency Enforcement:

  • Hard enforcement: Data cannot leave region
  • Soft enforcement: Data preferred in region, warnings if outside
  • Advisory: Recommendations for data placement

Landing Zone Patterns

Regional Landing Zones:

  • Landing zone per region for sovereign deployments
  • Cross-region connectivity for coordination
  • Regional compliance per landing zone

IX. Decentralized Architecture

How Decentralization Enables Sovereignty

Distributed Control:

  • Control planes can be deployed per region
  • Regional autonomy with coordinated governance
  • No single point of control

Sovereignty Benefits:

  • Complete control over regional infrastructure
  • Data sovereignty per region
  • Regulatory compliance per region

Distributed Control Planes

Regional Control Planes:

  • Each region can have its own control plane deployment
  • Coordinated but not centralized
  • Eventual consistency across regions

Cross-Region Coordination

Coordination Mechanisms:

  • Event-driven coordination
  • API-based coordination
  • Governance-based coordination

Conflict Resolution:

  • Regional autonomy with escalation
  • Governance policies for conflict resolution
  • Audit trails for coordination decisions

Federated Identity and Governance

Federated Identity:

  • Identity federation across regions
  • SSO across regions with regional control
  • Multi-national identity coordination

Federated Governance:

  • Governance policies can be federated
  • Regional governance with coordination
  • Cross-border governance patterns

X. Integration with Existing Infrastructure

Entity Mapping to Existing Systems

Proxmox Infrastructure

Mapping:

  • Region → Proxmox Site
  • Cluster → Proxmox Cluster
  • Node → Proxmox Node
  • VM → Proxmox VM

Integration:

  • Environments map to Proxmox resource pools
  • Subscriptions map to Proxmox quotas
  • Tenants map to Proxmox access controls

Kubernetes Clusters

Mapping:

  • Environment → Kubernetes Namespace
  • Subscription → Kubernetes ResourceQuota
  • Tenant → Kubernetes RBAC namespace

Integration:

  • Environments deploy to Kubernetes namespaces
  • Subscriptions enforce Kubernetes resource quotas
  • Tenants enforce Kubernetes RBAC boundaries

Cloudflare Tunnels and Zero Trust

Mapping:

  • Tenant → Cloudflare Access Policy
  • Environment → Cloudflare Tunnel Configuration
  • Region → Cloudflare Tunnel Endpoint

Integration:

  • Tenant identity maps to Cloudflare Access policies
  • Environments use Cloudflare tunnels for connectivity
  • Regions map to Cloudflare tunnel endpoints

Keycloak Realms

Mapping:

  • Tenant → Keycloak Realm (1:1)
  • Identity Provider → Keycloak Identity Provider
  • RBAC Roles → Keycloak Roles

Integration:

  • Each tenant gets a Keycloak realm
  • Tenant identity provider maps to Keycloak identity provider
  • Phoenix RBAC roles map to Keycloak roles

ArgoCD Applications

Mapping:

  • Application → ArgoCD Application
  • Environment → ArgoCD Target Environment
  • Subscription → ArgoCD Resource Quota

Integration:

  • Applications deploy via ArgoCD
  • Environments map to ArgoCD target environments
  • Subscriptions enforce ArgoCD resource quotas

Crossplane Resources

Mapping:

  • Subscription → Crossplane Composite Resource
  • Environment → Crossplane Claim
  • Infrastructure → Crossplane Managed Resources

Integration:

  • Subscriptions provision infrastructure via Crossplane
  • Environments create Crossplane claims
  • Infrastructure resources managed by Crossplane

Monitoring and Observability

Mapping:

  • Tenant → Monitoring Namespace
  • Environment → Monitoring Labels
  • Subscription → Cost Metrics

Integration:

  • Monitoring scoped by tenant and environment
  • Cost metrics aggregated by subscription
  • Alerts configured per environment

Resource Model Mapping

Existing Model (from docs/architecture/data-model.md):

Region → Site → Cluster → Node → VM/Pod/Service

Operating Model Mapping:

  • Region: Maps to Phoenix Region (with Tenant/Subscription context)
  • Site: Maps to Landing Zone or Environment
  • Cluster: Maps to Subscription service bundle
  • Node: Maps to Environment resources
  • VM/Pod/Service: Maps to Environment workloads

API Integration Points

Control Plane APIs:

  • Commercial Plane API: Client and billing operations
  • Tenancy Plane API: Tenant and identity operations
  • Subscription Plane API: Subscription and quota operations
  • Environment Plane API: Environment and deployment operations
  • Content & DevOps Plane API: Content and Git operations

Integration APIs:

  • Proxmox API integration
  • Kubernetes API integration
  • Cloudflare API integration
  • Keycloak API integration
  • ArgoCD API integration
  • Crossplane API integration

XI. Use Cases for Sovereign Governments

Use Case 1: Multi-National Defense Contractor

Scenario: Defense contractor with classified and unclassified workloads across multiple nations.

Entity Mapping:

  • Client: Defense contractor (single Client)
  • Tenants:
    • Tenant 1: Classified workloads (US)
    • Tenant 2: Unclassified workloads (US)
    • Tenant 3: Classified workloads (EU)
    • Tenant 4: Unclassified workloads (EU)
  • Subscriptions:
    • Classified Subscription (AIR-GAPPED environments)
    • Unclassified Subscription (REGULATED environments)
  • Environments:
    • AIR-GAPPED PROD (classified)
    • REGULATED PROD (unclassified)
  • Landing Zones: Separate landing zones per nation

Compliance: ITAR, FedRAMP, regional data residency

Use Case 2: International Healthcare Agency

Scenario: Healthcare agency operating across multiple countries with HIPAA requirements.

Entity Mapping:

  • Client: Healthcare agency (single Client)
  • Tenants:
    • Tenant per country (for data residency)
  • Subscriptions:
    • Healthcare Subscription (HIPAA-compliant)
  • Environments:
    • REGULATED PROD (HIPAA)
    • REGULATED STAGING (HIPAA)
  • Landing Zones: Per-country landing zones

Compliance: HIPAA, GDPR, regional healthcare regulations

Use Case 3: Cross-Border Financial Regulator

Scenario: Financial regulator coordinating across multiple nations.

Entity Mapping:

  • Clients: One Client per nation (coordinated)
  • Tenants:
    • Tenant per nation (federated)
  • Subscriptions:
    • Regulatory Subscription (cross-border)
  • Environments:
    • REGULATED PROD (financial regulations)
  • Landing Zones: Per-nation landing zones with cross-border connectivity

Compliance: Financial regulations per nation, cross-border coordination

Use Case 4: Multi-Region Public Sector Agency

Scenario: Public sector agency with operations across multiple regions.

Entity Mapping:

  • Client: Public sector agency (single Client)
  • Tenants:
    • Tenant per region (for regional autonomy)
  • Subscriptions:
    • Public Sector Subscription
  • Environments:
    • PROD (public services)
    • STAGING (pre-production)
  • Landing Zones: Per-region landing zones

Compliance: Government regulations, regional data residency

Use Case 5: Air-Gapped Deployment Per Nation

Scenario: Classified government system with complete isolation per nation.

Entity Mapping:

  • Client: Government (one per nation)
  • Tenants:
    • Single tenant per nation (complete isolation)
  • Subscriptions:
    • Classified Subscription
  • Environments:
    • AIR-GAPPED PROD (no external connectivity)
  • Landing Zones: Air-gapped landing zone per nation

Compliance: Classified systems, national security regulations


XII. Glossary

Core Entities

  • Client (Billing Profile): Legal entity that contracts with Phoenix for cloud services. Financial and contractual boundary.
  • Tenant: Identity and domain boundary. Security blast-radius. Owns identity, domain, and security configuration.
  • Subscription: Logical container for services, quotas, and spend. Defines what services are available.
  • Environment: Lifecycle stage where workloads run. Provides network isolation, data isolation, and deployment policies.
  • Landing Zone: Regional deployment pattern for sovereign cloud deployments.

Control Planes

  • Commercial Plane: Financial ownership, invoicing, entitlements, contractual scope.
  • Tenancy Plane: Identity, domain ownership, trust boundaries, security isolation.
  • Subscription Plane: Logical containers for services, quotas, and spend.
  • Environment Plane: Operational isolation for lifecycle stages.
  • Content & DevOps Plane: What is built, governed, and deployed.

Environment Types

  • DEV: Development environment
  • INT: Integration testing environment
  • UAT: User acceptance testing environment
  • STAGING: Pre-production validation environment
  • PROD: Production environment
  • REGULATED: Regulated workloads requiring specific compliance
  • SOVEREIGN: Sovereign workloads requiring data residency
  • AIR-GAPPED: Classified workloads with no external connectivity

Subscription Types

  • Shared Platform Subscription: Shared infrastructure and platform services
  • Product Subscription: Dedicated resources for specific products
  • Sandbox Subscription: Experimental and development environments
  • Innovation Subscription: Innovation and learning environments

Multi-Region Terminology

  • Sovereign Cloud: Cloud deployment with complete regional control and data residency
  • Landing Zone: Regional deployment pattern for sovereign deployments
  • Cross-Region Governance: Governance policies spanning multiple regions
  • Regional Data Residency: Requirement that data remains in specific region
  • Federated Identity: Identity federation across regions or tenants

Decentralized Architecture Terminology

  • Distributed Control Plane: Control plane deployed per region
  • Federated Governance: Governance policies federated across regions
  • Eventual Consistency: Data consistency achieved over time across regions
  • Regional Autonomy: Regional control with coordinated governance

Comparison to Azure/AWS

  • Azure AD TenantPhoenix Tenant
  • Azure SubscriptionPhoenix Subscription
  • Azure Resource GroupPhoenix Environment
  • AWS OrganizationPhoenix Client/Tenant
  • AWS AccountPhoenix Subscription
  • AWS RegionPhoenix Region/Landing Zone

XIII. Why This Works for Phoenix / Sankofa

This operating model provides:

  1. Enterprise-Scale Client Separation: Support for large multi-tenant deployments
  2. Strong Security & Sovereignty Boundaries: Tenant as security blast-radius, regional sovereignty
  3. Clean DevOps Velocity: Content & DevOps separate from billing/tenancy
  4. Clear Monetization and Cost Attribution: Client-level billing with subscription aggregation
  5. Regulator-Friendly Audit Trails: Complete governance and compliance logging
  6. Future Readiness: Sovereign, regulated, and AI workloads supported
  7. Multi-Region Native: Designed for international/multi-national sovereign governments
  8. Decentralized Architecture: Supports distributed governance and sovereignty

Alignment with Industry Standards

  • Azure / AWS / GCP Mental Models: Familiar concepts with Phoenix enhancements
  • Regulated Banking & Public-Sector Frameworks: Compliance-ready architecture
  • Multi-Tenant SaaS at Scale: Enterprise-grade multi-tenancy
  • Sovereign Cloud Requirements: Regional sovereignty and data residency

Competitive Advantages

  • Superior Multi-Tenancy: Better than Azure with finer-grained control
  • Superior Billing: Per-second granularity vs Azure's hourly
  • Sovereign Identity: Keycloak-based, no Azure dependencies
  • Multi-Region Native: Built for international/multi-national deployments
  • Decentralized Architecture: Supports distributed sovereignty
  • Landing Zone Patterns: Sovereign cloud deployments per region

References

Existing Documentation (Tenant-Based Model)

Note

: The following documents describe the current tenant-based model. See Migration Guide for migration to the new operating model.

Architecture Documentation


Last Updated: 2025-01-09
Version: 1.0
Status: Comprehensive Operating Model Documentation