d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7cd7022f6e0d6ff4232c47cbf4c19cfbc704e102
Sankofa/docs/DEPLOYMENT_REQUIREMENTS.md
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

646 lines
16 KiB
Markdown
Raw Blame History

# Sankofa Phoenix - Deployment Requirements
## Overview
This document outlines all requirements needed to deploy **Sankofa** (the ecosystem) and **Sankofa Phoenix** (the sovereign cloud platform). This includes infrastructure, software, network, security, and operational requirements.
---
## 1. Infrastructure Requirements
### 1.1 Edge Sites (Current Implementation)
**Proxmox VE Infrastructure:**
-**Proxmox VE 8+** installed on physical hosts
-**2+ Proxmox nodes** per site (for redundancy)
-**Network bridge** configured (vmbr0)
-**Storage pools** configured (local-lvm, ceph-fs, ceph-rbd)
-**OS Images** available (ubuntu-22.04-cloud.img)
**Current Status:**
- Site 1 (ml110-01): 192.168.11.10 - Operational ✅
- Site 2 (r630-01): 192.168.11.11 - Operational ✅
**Resource Requirements (SMOM-DBIS-138):**
- **Total VMs**: 18 (16 application + 2 infrastructure)
- **Total CPU**: 72 cores
- **Total RAM**: 140 GiB
- **Total Disk**: 278 GiB
### 1.2 Kubernetes Control Plane
**Requirements:**
- **Kubernetes v1.24+** cluster
- **3 master nodes** minimum (for HA)
- **5+ worker nodes** (for production workloads)
- **Container runtime**: containerd or CRI-O
- **CNI plugin**: Calico, Flannel, or Cilium
- **Storage class**: Dynamic provisioning (local-path, NFS, or Ceph)
**Control Plane Components:**
- **Crossplane**: Infrastructure as Code (Proxmox provider)
- **ArgoCD**: GitOps deployment
- **Keycloak**: Identity and access management
- **Prometheus/Grafana**: Monitoring and observability
- **Loki**: Log aggregation
- **Vault**: Secrets management (optional)
### 1.3 Database Infrastructure
**PostgreSQL Requirements:**
- **PostgreSQL 14+** (recommended: 15+)
- **High availability**: Primary + replicas
- **Storage**: NVMe SSD recommended (2TB+ per node)
- **RAM**: 64GB+ per node
- **Backup**: Automated daily backups
**Database Schema:**
- 26 migrations including:
- Multi-tenancy tables
- Billing and usage tracking
- MFA and RBAC
- Blockchain integration
- Audit logging
### 1.4 Blockchain Infrastructure (Future)
**Hyperledger Besu Validators:**
- **3-5 validator nodes** per core datacenter
- **CPU**: AMD EPYC 7763 (64 cores) or Intel Xeon Platinum 8380 (40 cores)
- **RAM**: 128GB DDR4 ECC
- **Storage**: 2x 4TB NVMe SSD (RAID 1) for blockchain state
- **Network**: 2x 25GbE network adapters
- **HSM**: Hardware Security Module for key storage
**Read Replica Nodes:**
- **2-3 nodes** per regional datacenter
- **CPU**: AMD EPYC 7543 (32 cores) or Intel Xeon Gold 6338 (32 cores)
- **RAM**: 64GB DDR4 ECC
- **Storage**: 2x 2TB NVMe SSD (RAID 1)
---
## 2. Software Requirements
### 2.1 Development Tools
**Required:**
- **Node.js 18+** (for frontend, API, portal)
- **pnpm** (recommended) or npm/yarn
- **Go 1.21+** (for Crossplane provider)
- **Docker** (for local development and containerization)
- **Git** (version control)
**Optional:**
- **kubectl** (v1.24+) - Kubernetes CLI
- **helm** (v3.0+) - Kubernetes package manager
- **docker-compose** - Local development
### 2.2 Application Components
**Frontend (Next.js):**
- Next.js 14+
- React + TypeScript
- TailwindCSS + shadcn/ui
- TanStack Query
**Backend:**
- GraphQL API (Apollo Server + Fastify)
- PostgreSQL 14+
- WebSocket support
- Real-time subscriptions
**Portal:**
- Next.js portal application
- Keycloak OIDC integration
- Role-based dashboards
**Infrastructure:**
- Crossplane provider for Proxmox
- Kubernetes custom resources (ProxmoxVM)
- GitOps with ArgoCD
### 2.3 Monitoring and Observability
**Required:**
- **Prometheus**: Metrics collection
- **Grafana**: Dashboards and visualization
- **Loki**: Log aggregation
- **Alertmanager**: Alert routing
**Optional:**
- **Jaeger**: Distributed tracing
- **Kiali**: Service mesh visualization
---
## 3. Network Requirements
### 3.1 Edge Sites (Current)
**Network Configuration:**
- **Network bridge**: vmbr0
- **IP range**: 192.168.11.0/24
- **Gateway**: Configured
- **DNS**: Configured
**Connectivity:**
- **Cloudflare Tunnel**: Outbound-only secure connections
- **Nginx Proxy**: SSL/TLS termination and routing
- **Internet**: High-speed with redundancy
### 3.2 Cloudflare Integration
**Required:**
- **Cloudflare account** with Zero Trust
- **Cloudflare Tunnel** configured
- **DNS records** configured
- **Access policies** configured
- **SSL/TLS certificates** (managed by Cloudflare)
**Tunnel Configuration:**
- Tunnel credentials JSON file
- Ingress rules configured
- Health monitoring enabled
### 3.3 Inter-Datacenter Links (Future)
**Core to Core:**
- **Bandwidth**: 100Gbps+ per link
- **Redundancy**: Multiple redundant paths
- **Type**: Dark fiber or high-bandwidth leased lines
**Core to Regional:**
- **Bandwidth**: 10-40Gbps per link
- **Redundancy**: Redundant paths
- **Type**: Leased lines or MPLS
**Regional to Edge:**
- **Bandwidth**: 1-10Gbps per link
- **Redundancy**: Internet with redundancy
- **Type**: Internet connectivity with Cloudflare Tunnels
---
## 4. Security Requirements
### 4.1 Identity and Access Management
**Keycloak:**
- **Keycloak 20+** deployed
- **OIDC clients** configured:
- `sankofa-api` (backend API)
- `portal-client` (portal application)
- **Realms** configured (multi-tenant support)
- **MFA** enabled (TOTP, FIDO2, SMS, Email)
- **User federation** configured (optional)
**Access Control:**
- **RBAC**: Role-based access control
- **Tenant isolation**: Multi-tenant data isolation
- **API authentication**: JWT tokens
- **Session management**: Secure session handling
### 4.2 Network Security
**Firewalls:**
- **Next-generation firewalls** (Palo Alto, Fortinet, Check Point)
- **Access policies** configured
- **Intrusion detection/prevention** (IDS/IPS)
- **DDoS protection** (Cloudflare)
**Network Segmentation:**
- **VLANs** for different tiers
- **Network policies** in Kubernetes
- **Service mesh** (optional: Istio, Linkerd)
### 4.3 Application Security
**Security Features:**
- **Rate limiting**: 100 req/min per IP, 1000 req/hour per user
- **Security headers**: CSP, HSTS, X-Frame-Options
- **Input sanitization**: Body sanitization middleware
- **Encryption**: TLS 1.2+ for all connections
- **Secrets management**: Kubernetes secrets or Vault
**Audit Logging:**
- **Comprehensive audit trail** for all operations
- **Log retention** policy configured
- **Compliance** logging (GDPR, SOC 2, ISO 27001)
### 4.4 Blockchain Security
**Key Management:**
- **HSM**: Hardware Security Module for validator keys
- **Key rotation**: Automated key rotation
- **Multi-signature**: Multi-party governance
**Network Security:**
- **Private P2P network**: Encrypted peer-to-peer connections
- **Network overlay**: VPN or dedicated network segment
- **Consensus communication**: Secure channels for validators
---
## 5. Environment Configuration
### 5.1 Environment Variables
**API (.env):**
```env
DB_HOST=postgres
DB_PORT=5432
DB_NAME=sankofa
DB_USER=postgres
DB_PASSWORD=your-password
JWT_SECRET=your-jwt-secret
# Sovereign Identity (Keycloak)
KEYCLOAK_URL=http://keycloak:8080
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=sankofa-api
KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
KEYCLOAK_MULTI_REALM=true
# Multi-Tenancy
ENABLE_MULTI_TENANT=true
DEFAULT_TENANT_ID=
BLOCKCHAIN_IDENTITY_ENABLED=true
# Billing
BILLING_GRANULARITY=SECOND
BLOCKCHAIN_BILLING_ENABLED=true
# Blockchain
BLOCKCHAIN_RPC_URL=http://besu:8545
RESOURCE_PROVISIONING_CONTRACT_ADDRESS=0x...
```
**Frontend (.env.local):**
```env
NEXT_PUBLIC_GRAPHQL_ENDPOINT=http://api:4000/graphql
NEXT_PUBLIC_GRAPHQL_WS_ENDPOINT=ws://api:4000/graphql-ws
NEXT_PUBLIC_APP_URL=http://localhost:3000
NODE_ENV=development
```
**Portal (.env.local):**
```env
KEYCLOAK_URL=https://keycloak.sankofa.nexus
KEYCLOAK_REALM=sankofa
KEYCLOAK_CLIENT_ID=portal-client
KEYCLOAK_CLIENT_SECRET=your-secret
NEXT_PUBLIC_CROSSPLANE_API=https://crossplane.sankofa.nexus
NEXT_PUBLIC_ARGOCD_URL=https://argocd.sankofa.nexus
NEXT_PUBLIC_GRAFANA_URL=https://grafana.sankofa.nexus
NEXT_PUBLIC_LOKI_URL=https://loki.sankofa.nexus:3100
```
**Proxmox Provider:**
```env
PROXMOX_HOST=192.168.11.10
PROXMOX_USER=root@pam
PROXMOX_PASS=your-password
# OR
PROXMOX_TOKEN=your-api-token
```
### 5.2 Kubernetes Secrets
**Required Secrets:**
- Database credentials
- Keycloak client secrets
- JWT secrets
- Proxmox API credentials
- Cloudflare tunnel credentials
- SSL/TLS certificates (if not using Cloudflare)
---
## 6. Deployment Steps
### 6.1 Prerequisites Checklist
- [ ] Kubernetes cluster deployed and operational
- [ ] PostgreSQL database deployed and accessible
- [ ] Keycloak deployed and configured
- [ ] Proxmox nodes accessible and configured
- [ ] Cloudflare account and tunnel configured
- [ ] Network connectivity verified
- [ ] DNS records configured
- [ ] SSL/TLS certificates configured
### 6.2 Database Setup
```bash
# 1. Create database
createdb sankofa
# 2. Run migrations (26 migrations)
cd api
npm run db:migrate
# 3. Verify migrations
psql -d sankofa -c "\dt"
# 4. Seed initial data (optional)
npm run db:seed
```
### 6.3 Kubernetes Deployment
```bash
# 1. Create namespaces
kubectl create namespace sankofa
kubectl create namespace crossplane-system
kubectl create namespace monitoring
# 2. Deploy Crossplane
kubectl apply -f gitops/apps/crossplane/
# 3. Deploy Proxmox Provider
kubectl apply -f crossplane-provider-proxmox/config/
# 4. Deploy ArgoCD
kubectl apply -f gitops/apps/argocd/
# 5. Deploy Keycloak
kubectl apply -f gitops/apps/keycloak/
# 6. Deploy API
kubectl apply -f gitops/apps/api/
# 7. Deploy Frontend
kubectl apply -f gitops/apps/frontend/
# 8. Deploy Portal
kubectl apply -f gitops/apps/portal/
# 9. Deploy Monitoring
kubectl apply -f gitops/apps/monitoring/
```
### 6.4 Proxmox VM Deployment
```bash
# 1. Deploy infrastructure VMs first
kubectl apply -f examples/production/nginx-proxy-vm.yaml
kubectl apply -f examples/production/cloudflare-tunnel-vm.yaml
# 2. Deploy application VMs
kubectl apply -f examples/production/smom-dbis-138/
# 3. Monitor deployment
kubectl get proxmoxvm -A -w
# 4. Check controller logs
kubectl logs -n crossplane-system -l app=crossplane-provider-proxmox --tail=50 -f
```
### 6.5 GitOps Setup (ArgoCD)
```bash
# 1. Apply ArgoCD application
kubectl apply -f gitops/apps/argocd/application.yaml
# 2. Sync application
argocd app sync sankofa-phoenix
# 3. Verify sync status
argocd app get sankofa-phoenix
```
### 6.6 Multi-Tenancy Setup
```bash
# 1. Create system tenant (via GraphQL)
curl -X POST http://api.sankofa.nexus/graphql \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{
"query": "mutation { createTenant(input: { name: \"system\", tier: SOVEREIGN }) { id name billingAccountId } }"
}'
# 2. Assign admin user to system tenant
curl -X POST http://api.sankofa.nexus/graphql \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{
"query": "mutation { addUserToTenant(tenantId: \"<system-tenant-id>\", userId: \"<admin-user-id>\", role: TENANT_OWNER) }"
}'
```
---
## 7. Verification and Testing
### 7.1 Health Checks
```bash
# API health
curl http://api.sankofa.nexus/health
# Frontend
curl http://frontend.sankofa.nexus
# Portal
curl http://portal.sankofa.nexus
# Keycloak health
curl http://keycloak.sankofa.nexus/health
# Proxmox VMs
kubectl get proxmoxvm -A
```
### 7.2 Smoke Tests
```bash
# Run smoke tests
./scripts/smoke-tests.sh
```
### 7.3 Performance Testing
```bash
# Load testing
./scripts/performance-test.sh
# k6 load test
k6 run scripts/k6-load-test.js
```
---
## 8. Operational Requirements
### 8.1 Monitoring and Alerting
**Required:**
- Prometheus metrics collection
- Grafana dashboards
- Alertmanager rules
- Notification channels (email, Slack, PagerDuty)
**Key Metrics:**
- API response times
- Database query performance
- VM resource utilization
- Blockchain network health
- Service availability
### 8.2 Backup and Disaster Recovery
**Database Backups:**
- Daily automated backups
- Retention policy: 30 days minimum
- Off-site backup storage
- Backup verification scripts
**VM Backups:**
- Proxmox backup schedules
- Snapshot management
- Disaster recovery procedures
### 8.3 Support and Operations
**Required:**
- 24/7 on-call rotation
- Incident response procedures
- Runbooks for common issues
- Escalation procedures
- Support team training
---
## 9. Compliance and Governance
### 9.1 Compliance Requirements
**Data Protection:**
- GDPR compliance (EU)
- Data retention policies
- Privacy policy published
- Terms of service published
**Security Standards:**
- SOC 2 Type II (if applicable)
- ISO 27001 (if applicable)
- Security audit procedures
- Penetration testing
### 9.2 Governance
**Multi-Tenancy:**
- Tenant isolation verified
- Resource quotas enforced
- Billing accuracy verified
- Audit logging enabled
**Blockchain Governance:**
- Multi-party governance nodes
- Smart contract upgrade procedures
- Network upgrade procedures
---
## 10. Cost Estimates
### 10.1 Infrastructure Costs
**Edge Sites (Current):**
- Proxmox hardware: $10K-$50K per site
- Network equipment: $5K-$20K per site
- Power and cooling: $1K-$5K per year per site
**Kubernetes Cluster:**
- Control plane: $500-$2K per month
- Worker nodes: $1K-$5K per month
- Storage: $200-$1K per month
**Database:**
- PostgreSQL cluster: $500-$2K per month
- Backup storage: $100-$500 per month
### 10.2 Cloudflare Costs
**Zero Trust:**
- Free tier: Up to 50 users
- Paid tier: $7 per user per month
**Tunnels:**
- Free: Unlimited tunnels
- Paid: Additional features
**Bandwidth:**
- Included in Zero Trust plan
- Additional bandwidth: $0.10-$0.50 per GB
### 10.3 Operational Costs
**Personnel:**
- DevOps engineers: $100K-$200K per year
- SRE engineers: $120K-$250K per year
- Support staff: $50K-$100K per year
**Software Licenses:**
- Most components are open source
- Optional commercial support: $10K-$100K per year
---
## 11. Quick Start Summary
### Minimum Viable Deployment
**For Development/Testing:**
1. Single Kubernetes cluster (3 nodes minimum)
2. PostgreSQL database (single instance)
3. Keycloak (single instance)
4. 2 Proxmox nodes
5. Cloudflare account (free tier)
6. All application components deployed
**For Production:**
1. High-availability Kubernetes cluster (3 masters + 5 workers)
2. PostgreSQL cluster (primary + replicas)
3. Keycloak cluster (HA)
4. Multiple Proxmox sites (2+ sites)
5. Cloudflare Zero Trust (paid tier)
6. Monitoring and alerting configured
7. Backup and disaster recovery configured
8. Security hardening completed
---
## 12. Documentation References
- **[Production Deployment Ready](./PRODUCTION_DEPLOYMENT_READY.md)** - Current deployment status
- **[Launch Checklist](./status/LAUNCH_CHECKLIST.md)** - Pre-launch verification
- **[Deployment Guide](./DEPLOYMENT.md)** - Detailed deployment instructions
- **[Deployment Plan](./deployment_plan.md)** - Phased rollout plan
- **[System Architecture](./system_architecture.md)** - Overall architecture
- **[Hardware BOM](./hardware_bom.md)** - Hardware specifications
- **[VM Deployment Plan](./VM_DEPLOYMENT_PLAN.md)** - VM deployment guide
---
## 13. Next Steps
1. **Review Prerequisites**: Verify all infrastructure and software requirements
2. **Configure Environment**: Set up environment variables and secrets
3. **Deploy Database**: Run migrations and seed data
4. **Deploy Kubernetes**: Deploy control plane components
5. **Deploy Applications**: Deploy API, frontend, and portal
6. **Deploy VMs**: Deploy Proxmox VMs via Crossplane
7. **Configure Monitoring**: Set up Prometheus, Grafana, and Loki
8. **Verify Deployment**: Run health checks and smoke tests
9. **Configure Multi-Tenancy**: Set up initial tenants
10. **Go Live**: Enable production traffic
---
**Last Updated**: 2025-01-XX
**Status**: Comprehensive deployment requirements documented
Reference in New Issue View Git Blame Copy Permalink