Some checks failed
API CI / API Lint (push) Successful in 47s
API CI / API Type Check (push) Failing after 47s
API CI / API Test (push) Successful in 1m0s
API CI / API Build (push) Failing after 50s
API CI / Build Docker Image (push) Has been skipped
Build Crossplane Provider / build (push) Failing after 5m51s
CD Pipeline / Deploy to Staging (push) Failing after 29s
CI Pipeline / Lint and Type Check (push) Failing after 36s
CI Pipeline / Build (push) Has been skipped
CI Pipeline / Test Backend (push) Failing after 1m33s
CI Pipeline / Test Frontend (push) Failing after 30s
CI Pipeline / Security Scan (push) Failing after 1m16s
Crossplane Provider CI / Go Test (push) Failing after 3m23s
Crossplane Provider CI / Go Lint (push) Failing after 7m27s
Crossplane Provider CI / Go Build (push) Failing after 3m27s
Deploy to Staging / Deploy to Staging (push) Failing after 30s
Portal CI / Portal Lint (push) Failing after 21s
Portal CI / Portal Type Check (push) Failing after 21s
Portal CI / Portal Test (push) Failing after 21s
Portal CI / Portal Build (push) Failing after 22s
Test Suite / frontend-tests (push) Failing after 30s
Test Suite / api-tests (push) Failing after 49s
Test Suite / blockchain-tests (push) Failing after 30s
Type Check / type-check (map[directory:. name:root]) (push) Failing after 23s
Type Check / type-check (map[directory:api name:api]) (push) Failing after 21s
Type Check / type-check (map[directory:portal name:portal]) (push) Failing after 19s
Validate Configuration Files / validate (push) Failing after 1m52s
CD Pipeline / Deploy to Production (push) Has been skipped
Co-authored-by: Cursor <cursoragent@cursor.com>
950 lines
27 KiB
Markdown
950 lines
27 KiB
Markdown
# Phoenix Operating Model - Architecture Diagrams
|
|
|
|
**Visual representations of the Phoenix operating model architecture**
|
|
|
|
This document contains mermaid diagrams visualizing the Phoenix operating model, including control planes, entity relationships, access models, promotion flows, and integration patterns.
|
|
|
|
---
|
|
|
|
## 1. Control Plane Overview
|
|
|
|
High-level view of the five orthogonal control planes and their relationships.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph commercial [Commercial Plane]
|
|
Client[Client<br/>Billing Profile]
|
|
Billing[Billing & Invoicing]
|
|
Contracts[Contracts & MSAs]
|
|
end
|
|
|
|
subgraph tenancy [Tenancy Plane]
|
|
Tenant[Tenant<br/>Domain & Identity]
|
|
Identity[Identity Provider]
|
|
RBAC[RBAC Namespace]
|
|
end
|
|
|
|
subgraph subscription [Subscription Plane]
|
|
Subscription[Subscription<br/>Service Bundle]
|
|
Quotas[Quotas & Limits]
|
|
Policies[Policy Packs]
|
|
end
|
|
|
|
subgraph environment [Environment Plane]
|
|
Environment[Environment<br/>Lifecycle Stage]
|
|
Network[Network Isolation]
|
|
Data[Data Isolation]
|
|
end
|
|
|
|
subgraph content [Content & DevOps Plane]
|
|
Enterprise[Enterprise]
|
|
Portfolio[Portfolio]
|
|
Product[Product]
|
|
Application[Application]
|
|
Component[Component]
|
|
end
|
|
|
|
Client -->|owns| Tenant
|
|
Tenant -->|contains| Subscription
|
|
Subscription -->|provisions| Environment
|
|
Application -->|deploys to| Environment
|
|
|
|
Client -.->|billing ID| Subscription
|
|
Tenant -.->|identity ID| Environment
|
|
Subscription -.->|quota ID| Environment
|
|
Application -.->|content ID| Environment
|
|
|
|
style Client fill:#e1f5ff
|
|
style Tenant fill:#fff4e1
|
|
style Subscription fill:#e8f5e9
|
|
style Environment fill:#fce4ec
|
|
style Enterprise fill:#f3e5f5
|
|
```
|
|
|
|
---
|
|
|
|
## 2. Entity Relationship Diagram
|
|
|
|
Complete graph showing the hierarchical relationships between all entities.
|
|
|
|
```mermaid
|
|
erDiagram
|
|
Client ||--o{ Tenant : "owns"
|
|
Tenant ||--o{ Subscription : "contains"
|
|
Subscription ||--o{ Environment : "provisions"
|
|
|
|
Client {
|
|
string id
|
|
string name
|
|
LegalEntity legalEntity
|
|
Contract contract
|
|
InvoicingConfig invoicingConfig
|
|
}
|
|
|
|
Tenant {
|
|
string id
|
|
string name
|
|
string[] primaryDomains
|
|
IdentityProvider identityProvider
|
|
string rbacNamespace
|
|
ComplianceProfile complianceProfile
|
|
}
|
|
|
|
Subscription {
|
|
string id
|
|
string name
|
|
SubscriptionType type
|
|
ServiceBundle[] serviceBundles
|
|
Quotas quotas
|
|
PolicyPack[] policyPacks
|
|
}
|
|
|
|
Environment {
|
|
string id
|
|
string name
|
|
EnvironmentType type
|
|
NetworkIsolation networkIsolation
|
|
DataIsolation dataIsolation
|
|
}
|
|
|
|
Enterprise ||--o{ Portfolio : "contains"
|
|
Portfolio ||--o{ Product : "contains"
|
|
Product ||--o{ Application : "contains"
|
|
Application ||--o{ Component : "contains"
|
|
Application ||--o{ GitRepo : "uses"
|
|
|
|
Enterprise {
|
|
string id
|
|
string name
|
|
Ownership ownership
|
|
}
|
|
|
|
Portfolio {
|
|
string id
|
|
string name
|
|
Ownership ownership
|
|
}
|
|
|
|
Product {
|
|
string id
|
|
string name
|
|
Ownership ownership
|
|
}
|
|
|
|
Application {
|
|
string id
|
|
string name
|
|
Ownership ownership
|
|
}
|
|
|
|
Component {
|
|
string id
|
|
string name
|
|
ContentType contentType
|
|
string version
|
|
}
|
|
|
|
Application }o--|| Environment : "deploys to"
|
|
```
|
|
|
|
---
|
|
|
|
## 3. Multi-Region Landing Zone Architecture
|
|
|
|
Sovereign cloud deployments per region, landing zones, and cross-region connectivity.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph global [Global Phoenix Platform]
|
|
ControlPlane[Control Plane<br/>Coordinated]
|
|
end
|
|
|
|
subgraph region1 [Region 1 - Nation A]
|
|
LandingZone1[Landing Zone 1<br/>Sovereign Cloud]
|
|
Tenant1A[Tenant 1A]
|
|
Tenant1B[Tenant 1B]
|
|
Subscription1A[Subscription 1A]
|
|
Environment1A[Environment 1A<br/>PROD]
|
|
end
|
|
|
|
subgraph region2 [Region 2 - Nation B]
|
|
LandingZone2[Landing Zone 2<br/>Sovereign Cloud]
|
|
Tenant2A[Tenant 2A]
|
|
Subscription2A[Subscription 2A]
|
|
Environment2A[Environment 2A<br/>PROD]
|
|
end
|
|
|
|
subgraph region3 [Region 3 - Nation C]
|
|
LandingZone3[Landing Zone 3<br/>Sovereign Cloud]
|
|
Tenant3A[Tenant 3A]
|
|
Subscription3A[Subscription 3A]
|
|
Environment3A[Environment 3A<br/>AIR-GAPPED]
|
|
end
|
|
|
|
ControlPlane -.->|governance| LandingZone1
|
|
ControlPlane -.->|governance| LandingZone2
|
|
ControlPlane -.->|governance| LandingZone3
|
|
|
|
LandingZone1 --> Tenant1A
|
|
LandingZone1 --> Tenant1B
|
|
Tenant1A --> Subscription1A
|
|
Subscription1A --> Environment1A
|
|
|
|
LandingZone2 --> Tenant2A
|
|
Tenant2A --> Subscription2A
|
|
Subscription2A --> Environment2A
|
|
|
|
LandingZone3 --> Tenant3A
|
|
Tenant3A --> Subscription3A
|
|
Subscription3A --> Environment3A
|
|
|
|
LandingZone1 <-->|cross-region<br/>connectivity| LandingZone2
|
|
LandingZone2 -.->|governance only| LandingZone3
|
|
|
|
style LandingZone1 fill:#e1f5ff
|
|
style LandingZone2 fill:#e1f5ff
|
|
style LandingZone3 fill:#e1f5ff
|
|
style Environment3A fill:#ffebee
|
|
```
|
|
|
|
---
|
|
|
|
## 4. Decentralized Control Planes
|
|
|
|
Distributed governance across regions showing regional autonomy with coordination.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph coordination [Coordination Layer]
|
|
EventBus[Event Bus]
|
|
GovernanceAPI[Governance API]
|
|
AuditLog[Audit Log]
|
|
end
|
|
|
|
subgraph region1 [Region 1 Control Plane]
|
|
CP1_Commercial[Commercial Plane]
|
|
CP1_Tenancy[Tenancy Plane]
|
|
CP1_Subscription[Subscription Plane]
|
|
CP1_Environment[Environment Plane]
|
|
CP1_Content[Content & DevOps]
|
|
end
|
|
|
|
subgraph region2 [Region 2 Control Plane]
|
|
CP2_Commercial[Commercial Plane]
|
|
CP2_Tenancy[Tenancy Plane]
|
|
CP2_Subscription[Subscription Plane]
|
|
CP2_Environment[Environment Plane]
|
|
CP2_Content[Content & DevOps]
|
|
end
|
|
|
|
subgraph region3 [Region 3 Control Plane]
|
|
CP3_Commercial[Commercial Plane]
|
|
CP3_Tenancy[Tenancy Plane]
|
|
CP3_Subscription[Subscription Plane]
|
|
CP3_Environment[Environment Plane]
|
|
CP3_Content[Content & DevOps]
|
|
end
|
|
|
|
CP1_Commercial <--> EventBus
|
|
CP1_Tenancy <--> EventBus
|
|
CP1_Subscription <--> EventBus
|
|
CP1_Environment <--> EventBus
|
|
CP1_Content <--> EventBus
|
|
|
|
CP2_Commercial <--> EventBus
|
|
CP2_Tenancy <--> EventBus
|
|
CP2_Subscription <--> EventBus
|
|
CP2_Environment <--> EventBus
|
|
CP2_Content <--> EventBus
|
|
|
|
CP3_Commercial <--> EventBus
|
|
CP3_Tenancy <--> EventBus
|
|
CP3_Subscription <--> EventBus
|
|
CP3_Environment <--> EventBus
|
|
CP3_Content <--> EventBus
|
|
|
|
EventBus --> GovernanceAPI
|
|
EventBus --> AuditLog
|
|
|
|
CP1_Tenancy <-->|federated identity| CP2_Tenancy
|
|
CP2_Tenancy -.->|governance only| CP3_Tenancy
|
|
|
|
style CP1_Commercial fill:#e1f5ff
|
|
style CP1_Tenancy fill:#fff4e1
|
|
style CP1_Subscription fill:#e8f5e9
|
|
style CP1_Environment fill:#fce4ec
|
|
style CP1_Content fill:#f3e5f5
|
|
```
|
|
|
|
---
|
|
|
|
## 5. Content Hierarchy
|
|
|
|
Enterprise content management hierarchy from Enterprise to Component.
|
|
|
|
```mermaid
|
|
graph TD
|
|
Enterprise[Enterprise<br/>Ownership & Governance]
|
|
|
|
Enterprise --> Portfolio1[Portfolio 1]
|
|
Enterprise --> Portfolio2[Portfolio 2]
|
|
Enterprise --> Portfolio3[Portfolio 3]
|
|
|
|
Portfolio1 --> Product1A[Product 1A]
|
|
Portfolio1 --> Product1B[Product 1B]
|
|
|
|
Portfolio2 --> Product2A[Product 2A]
|
|
|
|
Product1A --> App1A1[Application 1A1]
|
|
Product1A --> App1A2[Application 1A2]
|
|
|
|
Product1B --> App1B1[Application 1B1]
|
|
|
|
Product2A --> App2A1[Application 2A1]
|
|
|
|
App1A1 --> Comp1A1A[Component 1A1A<br/>Source Code]
|
|
App1A1 --> Comp1A1B[Component 1A1B<br/>IaC]
|
|
App1A1 --> Comp1A1C[Component 1A1C<br/>Pipeline]
|
|
|
|
App1A2 --> Comp1A2A[Component 1A2A<br/>Source Code]
|
|
|
|
App1B1 --> Comp1B1A[Component 1B1A<br/>Source Code]
|
|
|
|
App2A1 --> Comp2A1A[Component 2A1A<br/>Source Code]
|
|
App2A1 --> Comp2A1B[Component 2A1B<br/>AI Model]
|
|
|
|
App1A1 --> GitRepo1[Git Repository 1]
|
|
App1A2 --> GitRepo2[Git Repository 2]
|
|
App1B1 --> GitRepo3[Git Repository 3]
|
|
App2A1 --> GitRepo4[Git Repository 4]
|
|
|
|
style Enterprise fill:#f3e5f5
|
|
style Portfolio1 fill:#e1bee7
|
|
style Portfolio2 fill:#e1bee7
|
|
style Portfolio3 fill:#e1bee7
|
|
style Product1A fill:#ce93d8
|
|
style App1A1 fill:#ba68c8
|
|
style Comp1A1A fill:#ab47bc
|
|
```
|
|
|
|
---
|
|
|
|
## 6. Access Model (RBAC)
|
|
|
|
RBAC roles across planes with regional scope and cross-plane delegation.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph commercialRoles [Commercial Plane Roles]
|
|
FinanceAdmin[Finance Admin]
|
|
BillingViewer[Billing Viewer]
|
|
CostCenterOwner[Cost Center Owner]
|
|
end
|
|
|
|
subgraph tenancyRoles [Tenancy Plane Roles]
|
|
TenantOwner[Tenant Owner]
|
|
SecurityAdmin[Security Admin]
|
|
IdentityAdmin[Identity Admin]
|
|
ComplianceOfficer[Compliance Officer]
|
|
end
|
|
|
|
subgraph subscriptionRoles [Subscription Plane Roles]
|
|
SubscriptionOwner[Subscription Owner]
|
|
PlatformAdmin[Platform Admin]
|
|
ServiceOperator[Service Operator]
|
|
Auditor[Read-only Auditor]
|
|
end
|
|
|
|
subgraph environmentRoles [Environment Plane Roles]
|
|
EnvOwner[Environment Owner]
|
|
ReleaseManager[Release Manager]
|
|
Operator[Operator]
|
|
Observer[Observer]
|
|
end
|
|
|
|
subgraph contentRoles [Content & DevOps Roles]
|
|
EnterpriseArch[Enterprise Architect]
|
|
PortfolioLead[Portfolio Lead]
|
|
ProductOwner[Product Owner]
|
|
DevLead[Dev Lead]
|
|
Contributor[Contributor]
|
|
Reviewer[Reviewer]
|
|
ReleaseApprover[Release Approver]
|
|
end
|
|
|
|
FinanceAdmin -.->|delegation| TenantOwner
|
|
TenantOwner -.->|delegation| SubscriptionOwner
|
|
SubscriptionOwner -.->|delegation| EnvOwner
|
|
EnvOwner -.->|delegation| ReleaseManager
|
|
ReleaseManager -.->|delegation| ReleaseApprover
|
|
|
|
TenantOwner -->|manages| IdentityAdmin
|
|
TenantOwner -->|manages| SecurityAdmin
|
|
SubscriptionOwner -->|manages| PlatformAdmin
|
|
EnvOwner -->|manages| Operator
|
|
|
|
style FinanceAdmin fill:#e1f5ff
|
|
style TenantOwner fill:#fff4e1
|
|
style SubscriptionOwner fill:#e8f5e9
|
|
style EnvOwner fill:#fce4ec
|
|
style EnterpriseArch fill:#f3e5f5
|
|
```
|
|
|
|
---
|
|
|
|
## 7. Promotion Flow
|
|
|
|
Code commit through CI/CD to deployment with policy gates and authorization.
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant Dev as Developer
|
|
participant Git as Git Repository
|
|
participant CI as CI Pipeline
|
|
participant Artifact as Artifact Registry
|
|
participant Policy as Policy Engine
|
|
participant Approval as Approval Workflow
|
|
participant Env as Environment
|
|
participant Sub as Subscription
|
|
|
|
Dev->>Git: Commit Code
|
|
Git->>CI: Trigger CI Pipeline
|
|
|
|
CI->>CI: Run Tests
|
|
CI->>CI: Security Scan
|
|
CI->>CI: Build Artifact
|
|
|
|
alt Tests Pass
|
|
CI->>Artifact: Store Artifact
|
|
Artifact->>Policy: Validate Policies
|
|
|
|
alt Policy Validation Pass
|
|
Policy->>Approval: Check Approval Required
|
|
|
|
alt Approval Required
|
|
Approval->>Approval: Request Approval
|
|
Approval->>Approval: Wait for Approval
|
|
|
|
alt Approval Granted
|
|
Approval->>Sub: Verify Subscription Authorization
|
|
Sub->>Env: Authorize Deployment
|
|
Env->>Env: Deploy to Environment
|
|
else Approval Denied
|
|
Approval->>Dev: Reject Deployment
|
|
end
|
|
else No Approval Required
|
|
Approval->>Sub: Verify Subscription Authorization
|
|
Sub->>Env: Authorize Deployment
|
|
Env->>Env: Deploy to Environment
|
|
end
|
|
else Policy Validation Fail
|
|
Policy->>Dev: Reject - Policy Violation
|
|
end
|
|
else Tests Fail
|
|
CI->>Dev: Reject - Tests Failed
|
|
end
|
|
```
|
|
|
|
---
|
|
|
|
## 8. Integration Architecture
|
|
|
|
How control planes interact with existing infrastructure systems.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph planes [Phoenix Control Planes]
|
|
Commercial[Commercial Plane]
|
|
Tenancy[Tenancy Plane]
|
|
Subscription[Subscription Plane]
|
|
Environment[Environment Plane]
|
|
Content[Content & DevOps Plane]
|
|
end
|
|
|
|
subgraph infrastructure [Existing Infrastructure]
|
|
Proxmox[Proxmox<br/>Compute & Storage]
|
|
Kubernetes[Kubernetes<br/>Container Orchestration]
|
|
Cloudflare[Cloudflare<br/>Zero Trust & Tunnels]
|
|
Keycloak[Keycloak<br/>Identity Management]
|
|
ArgoCD[ArgoCD<br/>GitOps]
|
|
Crossplane[Crossplane<br/>Infrastructure as Code]
|
|
Monitoring[Monitoring & Observability]
|
|
end
|
|
|
|
Commercial -->|billing data| Monitoring
|
|
Tenancy -->|identity config| Keycloak
|
|
Tenancy -->|access policies| Cloudflare
|
|
Subscription -->|resource quotas| Kubernetes
|
|
Subscription -->|infrastructure| Crossplane
|
|
Environment -->|deployment| ArgoCD
|
|
Environment -->|compute resources| Proxmox
|
|
Environment -->|container workloads| Kubernetes
|
|
Content -->|Git repos| ArgoCD
|
|
Content -->|IaC| Crossplane
|
|
|
|
Keycloak -->|identity| Cloudflare
|
|
ArgoCD -->|syncs| Kubernetes
|
|
Crossplane -->|provisions| Proxmox
|
|
Crossplane -->|provisions| Kubernetes
|
|
|
|
style Commercial fill:#e1f5ff
|
|
style Tenancy fill:#fff4e1
|
|
style Subscription fill:#e8f5e9
|
|
style Environment fill:#fce4ec
|
|
style Content fill:#f3e5f5
|
|
```
|
|
|
|
---
|
|
|
|
## 9. Sovereign Environment Isolation
|
|
|
|
REGULATED, SOVEREIGN, and AIR-GAPPED environments per region.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph standard [Standard Environments]
|
|
DEV[DEV<br/>Development]
|
|
INT[INT<br/>Integration]
|
|
UAT[UAT<br/>User Acceptance]
|
|
STAGING[STAGING<br/>Pre-Production]
|
|
PROD[PROD<br/>Production]
|
|
end
|
|
|
|
subgraph specialized [Specialized Environments]
|
|
REGULATED[REGULATED<br/>Compliance Required]
|
|
SOVEREIGN[SOVEREIGN<br/>Data Residency]
|
|
AIRGAPPED[AIR-GAPPED<br/>No External Connectivity]
|
|
end
|
|
|
|
subgraph isolation [Isolation Levels]
|
|
NetworkIsolation[Network Isolation]
|
|
DataIsolation[Data Isolation]
|
|
AccessIsolation[Access Isolation]
|
|
ComplianceIsolation[Compliance Isolation]
|
|
end
|
|
|
|
DEV --> NetworkIsolation
|
|
INT --> NetworkIsolation
|
|
UAT --> NetworkIsolation
|
|
STAGING --> NetworkIsolation
|
|
PROD --> NetworkIsolation
|
|
PROD --> DataIsolation
|
|
PROD --> AccessIsolation
|
|
|
|
REGULATED --> NetworkIsolation
|
|
REGULATED --> DataIsolation
|
|
REGULATED --> AccessIsolation
|
|
REGULATED --> ComplianceIsolation
|
|
|
|
SOVEREIGN --> NetworkIsolation
|
|
SOVEREIGN --> DataIsolation
|
|
SOVEREIGN --> AccessIsolation
|
|
SOVEREIGN --> ComplianceIsolation
|
|
SOVEREIGN -->|regional| DataResidency[Regional Data Residency]
|
|
|
|
AIRGAPPED --> NetworkIsolation
|
|
AIRGAPPED --> DataIsolation
|
|
AIRGAPPED --> AccessIsolation
|
|
AIRGAPPED --> ComplianceIsolation
|
|
AIRGAPPED -->|complete| NoExternalConnectivity[No External Connectivity]
|
|
|
|
style PROD fill:#ffebee
|
|
style REGULATED fill:#fff3e0
|
|
style SOVEREIGN fill:#e8f5e9
|
|
style AIRGAPPED fill:#fce4ec
|
|
```
|
|
|
|
---
|
|
|
|
## 10. Multi-National Tenant Structure
|
|
|
|
How international sovereign governments are modeled with tenants.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph client [Client: International Government]
|
|
ClientEntity[Government Entity<br/>Legal & Billing]
|
|
end
|
|
|
|
subgraph nation1 [Nation A]
|
|
Tenant1A[Tenant 1A<br/>Domain: nation-a.gov]
|
|
Subscription1A[Subscription 1A<br/>Product]
|
|
Environment1A[Environment 1A<br/>PROD]
|
|
LandingZone1[Landing Zone 1<br/>Sovereign Cloud]
|
|
end
|
|
|
|
subgraph nation2 [Nation B]
|
|
Tenant2A[Tenant 2A<br/>Domain: nation-b.gov]
|
|
Subscription2A[Subscription 2A<br/>Product]
|
|
Environment2A[Environment 2A<br/>PROD]
|
|
LandingZone2[Landing Zone 2<br/>Sovereign Cloud]
|
|
end
|
|
|
|
subgraph nation3 [Nation C]
|
|
Tenant3A[Tenant 3A<br/>Domain: nation-c.gov]
|
|
Subscription3A[Subscription 3A<br/>Classified]
|
|
Environment3A[Environment 3A<br/>AIR-GAPPED]
|
|
LandingZone3[Landing Zone 3<br/>Air-Gapped Cloud]
|
|
end
|
|
|
|
ClientEntity -->|owns| Tenant1A
|
|
ClientEntity -->|owns| Tenant2A
|
|
ClientEntity -->|owns| Tenant3A
|
|
|
|
Tenant1A --> Subscription1A
|
|
Subscription1A --> Environment1A
|
|
Environment1A --> LandingZone1
|
|
|
|
Tenant2A --> Subscription2A
|
|
Subscription2A --> Environment2A
|
|
Environment2A --> LandingZone2
|
|
|
|
Tenant3A --> Subscription3A
|
|
Subscription3A --> Environment3A
|
|
Environment3A --> LandingZone3
|
|
|
|
Tenant1A <-->|federated identity| Tenant2A
|
|
Tenant2A -.->|governance only| Tenant3A
|
|
|
|
LandingZone1 <-->|cross-region<br/>connectivity| LandingZone2
|
|
LandingZone2 -.->|no connectivity| LandingZone3
|
|
|
|
style ClientEntity fill:#e1f5ff
|
|
style Tenant1A fill:#fff4e1
|
|
style Tenant2A fill:#fff4e1
|
|
style Tenant3A fill:#fff4e1
|
|
style LandingZone3 fill:#ffebee
|
|
```
|
|
|
|
---
|
|
|
|
## 11. Landing Zone Patterns
|
|
|
|
Regional sovereign cloud deployments with different patterns.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph pattern1 [Pattern 1: Single Region Sovereign]
|
|
LZ1[Landing Zone 1<br/>Region A]
|
|
T1[Tenant 1]
|
|
S1[Subscription 1]
|
|
E1[Environment 1<br/>PROD]
|
|
end
|
|
|
|
subgraph pattern2 [Pattern 2: Multi-Region Sovereign]
|
|
LZ2A[Landing Zone 2A<br/>Region A]
|
|
LZ2B[Landing Zone 2B<br/>Region B]
|
|
T2[Tenant 2<br/>Multi-Region]
|
|
S2A[Subscription 2A<br/>Region A]
|
|
S2B[Subscription 2B<br/>Region B]
|
|
E2A[Environment 2A<br/>PROD]
|
|
E2B[Environment 2B<br/>PROD]
|
|
end
|
|
|
|
subgraph pattern3 [Pattern 3: Air-Gapped Sovereign]
|
|
LZ3[Landing Zone 3<br/>Region C<br/>Air-Gapped]
|
|
T3[Tenant 3]
|
|
S3[Subscription 3<br/>Classified]
|
|
E3[Environment 3<br/>AIR-GAPPED]
|
|
end
|
|
|
|
LZ1 --> T1
|
|
T1 --> S1
|
|
S1 --> E1
|
|
|
|
LZ2A --> T2
|
|
LZ2B --> T2
|
|
T2 --> S2A
|
|
T2 --> S2B
|
|
S2A --> E2A
|
|
S2B --> E2B
|
|
LZ2A <-->|cross-region| LZ2B
|
|
|
|
LZ3 --> T3
|
|
T3 --> S3
|
|
S3 --> E3
|
|
|
|
style LZ1 fill:#e1f5ff
|
|
style LZ2A fill:#e1f5ff
|
|
style LZ2B fill:#e1f5ff
|
|
style LZ3 fill:#ffebee
|
|
```
|
|
|
|
---
|
|
|
|
## 12. Competitive Architecture Comparison
|
|
|
|
Phoenix vs Azure vs AWS showing decentralized vs centralized models.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph phoenix [Phoenix - Decentralized]
|
|
P_Control[Distributed Control Planes]
|
|
P_Client[Client]
|
|
P_Tenant[Tenant]
|
|
P_Sub[Subscription]
|
|
P_Env[Environment]
|
|
P_LandingZone[Landing Zone<br/>Sovereign Cloud]
|
|
end
|
|
|
|
subgraph azure [Azure - Centralized]
|
|
A_Control[Centralized Control Plane]
|
|
A_Tenant[Azure AD Tenant]
|
|
A_Sub[Azure Subscription]
|
|
A_RG[Resource Group]
|
|
A_Region[Azure Region]
|
|
end
|
|
|
|
subgraph aws [AWS - Centralized]
|
|
A_Control2[Centralized Control Plane]
|
|
A_Org[AWS Organization]
|
|
A_Account[AWS Account]
|
|
A_Region2[AWS Region]
|
|
end
|
|
|
|
P_Control --> P_Client
|
|
P_Client --> P_Tenant
|
|
P_Tenant --> P_Sub
|
|
P_Sub --> P_Env
|
|
P_Env --> P_LandingZone
|
|
|
|
A_Control --> A_Tenant
|
|
A_Tenant --> A_Sub
|
|
A_Sub --> A_RG
|
|
A_RG --> A_Region
|
|
|
|
A_Control2 --> A_Org
|
|
A_Org --> A_Account
|
|
A_Account --> A_Region2
|
|
|
|
style P_Control fill:#e8f5e9
|
|
style P_LandingZone fill:#c8e6c9
|
|
style A_Control fill:#ffebee
|
|
style A_Control2 fill:#ffebee
|
|
```
|
|
|
|
---
|
|
|
|
## 13. Data Flow - Cross-Plane Operations
|
|
|
|
Data flow showing how operations span multiple control planes.
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant User
|
|
participant Commercial as Commercial Plane
|
|
participant Tenancy as Tenancy Plane
|
|
participant Subscription as Subscription Plane
|
|
participant Environment as Environment Plane
|
|
participant Content as Content & DevOps Plane
|
|
participant Infrastructure as Infrastructure
|
|
|
|
User->>Tenancy: Authenticate (Identity)
|
|
Tenancy->>Tenancy: Validate Identity
|
|
Tenancy->>User: Return Tenant Context
|
|
|
|
User->>Commercial: Request Billing Data
|
|
Commercial->>Commercial: Get Client for Tenant
|
|
Commercial->>Commercial: Aggregate Billing
|
|
Commercial->>User: Return Billing Data
|
|
|
|
User->>Subscription: Request Resource Provisioning
|
|
Subscription->>Tenancy: Verify Tenant Authorization
|
|
Subscription->>Commercial: Verify Billing Profile
|
|
Subscription->>Subscription: Check Quotas
|
|
Subscription->>Environment: Provision Environment
|
|
Environment->>Infrastructure: Deploy Resources
|
|
Infrastructure->>Environment: Confirm Deployment
|
|
Environment->>Subscription: Update Status
|
|
Subscription->>User: Confirm Provisioning
|
|
|
|
User->>Content: Deploy Application
|
|
Content->>Content: Build from Git
|
|
Content->>Environment: Request Deployment
|
|
Environment->>Subscription: Verify Authorization
|
|
Subscription->>Environment: Authorize Deployment
|
|
Environment->>Infrastructure: Deploy Application
|
|
Infrastructure->>Environment: Confirm Deployment
|
|
Environment->>Content: Update Status
|
|
Content->>User: Confirm Deployment
|
|
```
|
|
|
|
---
|
|
|
|
## 14. Sequence Diagram - Promotion Flow with Authorization
|
|
|
|
Detailed sequence diagram showing promotion flow with all authorization gates.
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant Dev as Developer
|
|
participant Git as Git Repository
|
|
participant CI as CI Pipeline
|
|
participant Artifact as Artifact Registry
|
|
participant Policy as Policy Engine
|
|
participant Approval as Approval Workflow
|
|
participant Subscription as Subscription Plane
|
|
participant Environment as Environment Plane
|
|
participant Infrastructure as Infrastructure
|
|
|
|
Dev->>Git: Commit Code to Branch
|
|
Git->>CI: Webhook Trigger
|
|
CI->>CI: Checkout Code
|
|
CI->>CI: Run Unit Tests
|
|
CI->>CI: Run Integration Tests
|
|
CI->>CI: Security Scan (SAST)
|
|
CI->>CI: Dependency Scan
|
|
CI->>CI: Build Artifact
|
|
|
|
alt All Tests Pass
|
|
CI->>Artifact: Store Artifact + Metadata
|
|
Artifact->>Policy: Validate Security Policies
|
|
Artifact->>Policy: Validate Compliance Policies
|
|
Artifact->>Policy: Validate Governance Policies
|
|
|
|
alt All Policies Pass
|
|
Policy->>Approval: Check Environment Type
|
|
|
|
alt Environment is PROD or REGULATED
|
|
Approval->>Approval: Require Manual Approval
|
|
Approval->>ReleaseManager: Send Approval Request
|
|
ReleaseManager->>Approval: Review & Approve/Reject
|
|
|
|
alt Approval Granted
|
|
Approval->>Subscription: Verify Subscription Authorization
|
|
Subscription->>Subscription: Check Service Bundles
|
|
Subscription->>Subscription: Check Quotas
|
|
Subscription->>Approval: Authorization Granted
|
|
|
|
Approval->>Environment: Request Deployment Authorization
|
|
Environment->>Environment: Check Deployment Policies
|
|
Environment->>Environment: Verify Network Isolation
|
|
Environment->>Environment: Verify Data Isolation
|
|
Environment->>Approval: Deployment Authorized
|
|
|
|
Approval->>Infrastructure: Deploy to Environment
|
|
Infrastructure->>Infrastructure: Provision Resources
|
|
Infrastructure->>Infrastructure: Deploy Application
|
|
Infrastructure->>Environment: Deployment Complete
|
|
Environment->>Approval: Confirm Deployment
|
|
Approval->>Dev: Deployment Successful
|
|
else Approval Denied
|
|
Approval->>Dev: Deployment Rejected - Approval Denied
|
|
end
|
|
else Environment is DEV or INT
|
|
Approval->>Subscription: Verify Subscription Authorization
|
|
Subscription->>Approval: Authorization Granted
|
|
Approval->>Environment: Request Deployment Authorization
|
|
Environment->>Approval: Deployment Authorized
|
|
Approval->>Infrastructure: Deploy to Environment
|
|
Infrastructure->>Environment: Deployment Complete
|
|
Environment->>Approval: Confirm Deployment
|
|
Approval->>Dev: Deployment Successful
|
|
end
|
|
else Policy Validation Failed
|
|
Policy->>Dev: Deployment Rejected - Policy Violation
|
|
end
|
|
else Tests Failed
|
|
CI->>Dev: Build Failed - Tests Failed
|
|
end
|
|
```
|
|
|
|
---
|
|
|
|
## 15. Multi-Region Topology
|
|
|
|
Network and governance topology across multiple regions.
|
|
|
|
```mermaid
|
|
graph TB
|
|
subgraph global [Global Coordination]
|
|
GovernanceAPI[Governance API]
|
|
EventBus[Event Bus]
|
|
AuditLog[Global Audit Log]
|
|
end
|
|
|
|
subgraph region1 [Region 1 - Nation A]
|
|
LZ1[Landing Zone 1]
|
|
CP1[Control Plane 1]
|
|
Network1[Network 1<br/>10.1.0.0/16]
|
|
Proxmox1[Proxmox Cluster 1]
|
|
K8s1[Kubernetes Cluster 1]
|
|
end
|
|
|
|
subgraph region2 [Region 2 - Nation B]
|
|
LZ2[Landing Zone 2]
|
|
CP2[Control Plane 2]
|
|
Network2[Network 2<br/>10.2.0.0/16]
|
|
Proxmox2[Proxmox Cluster 2]
|
|
K8s2[Kubernetes Cluster 2]
|
|
end
|
|
|
|
subgraph region3 [Region 3 - Nation C]
|
|
LZ3[Landing Zone 3<br/>Air-Gapped]
|
|
CP3[Control Plane 3]
|
|
Network3[Network 3<br/>10.3.0.0/16]
|
|
Proxmox3[Proxmox Cluster 3]
|
|
K8s3[Kubernetes Cluster 3]
|
|
end
|
|
|
|
GovernanceAPI --> CP1
|
|
GovernanceAPI --> CP2
|
|
GovernanceAPI -.->|governance only| CP3
|
|
|
|
EventBus --> CP1
|
|
EventBus --> CP2
|
|
EventBus -.->|no connectivity| CP3
|
|
|
|
AuditLog --> CP1
|
|
AuditLog --> CP2
|
|
AuditLog -.->|local only| CP3
|
|
|
|
CP1 --> LZ1
|
|
CP2 --> LZ2
|
|
CP3 --> LZ3
|
|
|
|
LZ1 --> Network1
|
|
LZ1 --> Proxmox1
|
|
LZ1 --> K8s1
|
|
|
|
LZ2 --> Network2
|
|
LZ2 --> Proxmox2
|
|
LZ2 --> K8s2
|
|
|
|
LZ3 --> Network3
|
|
LZ3 --> Proxmox3
|
|
LZ3 --> K8s3
|
|
|
|
LZ1 <-->|encrypted tunnel| LZ2
|
|
LZ2 -.->|no connectivity| LZ3
|
|
|
|
style LZ1 fill:#e1f5ff
|
|
style LZ2 fill:#e1f5ff
|
|
style LZ3 fill:#ffebee
|
|
style CP3 fill:#ffebee
|
|
```
|
|
|
|
---
|
|
|
|
## Diagram Usage
|
|
|
|
These diagrams can be used in:
|
|
- Architecture presentations
|
|
- Technical documentation
|
|
- Client proposals
|
|
- Implementation guides
|
|
- Training materials
|
|
|
|
All diagrams use mermaid syntax and can be rendered in:
|
|
- GitHub/GitLab markdown
|
|
- Documentation sites (MkDocs, Docusaurus, etc.)
|
|
- Mermaid Live Editor
|
|
- VS Code with mermaid extensions
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-01-09
|
|
**Version**: 1.0
|
|
**Status**: Complete Architecture Diagrams
|
|
|