jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/platform/examples/full-platform-enterprise.ncl

703 lines
15 KiB
Plaintext
Raw Normal View History

chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00
# Example: Complete Provisioning Platform - Enterprise Deployment
#
# This example demonstrates deploying all three platform services together
# in enterprise mode with full integration, security, and observability.
#
# Deployment Architecture:
# - 3x Orchestrator replicas (load balanced)
# - 1x Control Center (with PostgreSQL)
# - 1x MCP Server (for AI/LLM integration)
# - SurrealDB cluster for workflow storage
# - Comprehensive monitoring (Prometheus, Grafana, Loki)
# - Full RBAC, audit logging, and compliance
#
# Usage:
# # Generate all three configs
# nickel eval --format toml orchestrator.ncl > orchestrator.enterprise.toml
# nickel eval --format toml control-center.ncl > control-center.enterprise.toml
# nickel eval --format toml mcp-server.ncl > mcp-server.enterprise.toml
#
# # Deploy to Kubernetes
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/namespace.yaml
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/resource-quota.yaml
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/rbac.yaml
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/*.deployment.yaml
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/*.service.yaml
# kubectl apply -f provisioning/platform/infrastructure/kubernetes/platform-ingress.yaml
# ============================================================================
# Global Configuration
# ============================================================================
let deployment_mode = "enterprise"
let namespace = "provisioning"
let domain = "provisioning.example.com"
let environment = "production"
# ============================================================================
# 1. ORCHESTRATOR CONFIGURATION
# ============================================================================
let orchestrator = {
# Workspace: Production workspace
workspace = {
name = "production",
path = "/var/lib/provisioning/orchestrator",
enabled = true,
multi_workspace = true,
},
# Server: High-performance, multi-replica
server = {
host = "0.0.0.0",
port = 9090,
workers = 16,
keep_alive = 30,
max_connections = 4096,
},
# Storage: SurrealDB cluster (3 nodes for HA)
storage = {
backend = "surrealdb_cluster",
surrealdb_url = "surrealdb://surrealdb-1.${namespace}.svc.cluster.local:8000,surrealdb-2.${namespace}.svc.cluster.local:8000,surrealdb-3.${namespace}.svc.cluster.local:8000",
surrealdb_namespace = "provisioning",
surrealdb_database = "orchestrator-${environment}",
},
# Queue: Maximum throughput
queue = {
max_concurrent_tasks = 100,
retry_attempts = 5,
retry_delay = 2000,
task_timeout = 7200000, # 2 hours
deadletter_queue = {
enabled = true,
max_messages = 10000,
retention_period = 604800, # 7 days
},
priority_levels = ["low", "normal", "high", "critical"],
default_priority = "normal",
},
# Batch: Optimized for large workflows
batch = {
parallel_limit = 50,
operation_timeout = 3600000,
checkpoint = {
enabled = true,
interval = 1000,
auto_cleanup = true,
max_checkpoints = 100,
},
rollback = {
strategy = "automatic",
retain_logs = true,
},
},
# Monitoring: Full observability
monitoring = {
enabled = true,
metrics = {
enabled = true,
interval = 10,
export_format = "prometheus",
},
health_check = {
enabled = true,
interval = 30,
timeout = 5,
},
resources = {
track_cpu = true,
track_memory = true,
track_disk = true,
alert_threshold_cpu = 85,
alert_threshold_memory = 90,
alert_threshold_disk = 95,
},
profiling = {
enabled = true,
sample_rate = 0.1,
},
},
# Logging: Comprehensive audit trail
logging = {
level = "info",
format = "json",
outputs = [
{
destination = "stdout",
level = "warn",
},
{
destination = "file",
path = "/var/log/provisioning/orchestrator/orchestrator.log",
level = "info",
rotation = {
max_size = "500MB",
max_backups = 30,
max_age = 90,
},
},
{
destination = "file",
path = "/var/log/provisioning/orchestrator/audit.log",
level = "info",
rotation = {
max_size = "200MB",
max_backups = 365,
max_age = 365,
},
},
],
},
# Security: Full production hardening
security = {
auth = {
enabled = true,
method = "jwt",
jwt_secret = "${JWT_SECRET}",
jwt_issuer = "provisioning.${environment}",
jwt_audience = "orchestrator-${environment}",
token_expiration = 3600,
},
cors = {
enabled = true,
allowed_origins = [
"https://orchestrator.${domain}",
"https://control-center.${domain}",
"https://mcp.${domain}",
],
allowed_methods = ["GET", "POST", "PUT"],
allowed_headers = ["Content-Type", "Authorization"],
},
tls = {
enabled = true,
cert_path = "/etc/provisioning/certs/orchestrator.crt",
key_path = "/etc/provisioning/certs/orchestrator.key",
min_version = "TLSv1.3",
},
rate_limit = {
enabled = true,
requests_per_second = 10000,
burst_size = 1000,
},
},
# Extensions: Production-ready
extensions = {
auto_load = true,
oci_registry_url = "registry.${domain}:5000",
oci_namespace = "provisioning/extensions",
refresh_interval = 24,
max_concurrent_init = 10,
},
# Database: High-performance pooling
database = {
pool = {
min_size = 20,
max_size = 100,
connection_timeout = 10,
idle_timeout = 600,
max_lifetime = 3600,
},
retry = {
max_attempts = 5,
initial_backoff = 100,
max_backoff = 30000,
},
},
# Features: Full production suite
features = {
enable_audit_logging = true,
enable_task_history = true,
enable_performance_tracking = true,
enable_experimental_features = false,
},
}
# ============================================================================
# 2. CONTROL CENTER CONFIGURATION
# ============================================================================
let control_center = {
server = {
host = "0.0.0.0",
port = 8080,
workers = 4,
keep_alive = 75,
max_connections = 512,
},
database = {
backend = "postgres",
postgres = {
host = "postgres.${namespace}.svc.cluster.local",
port = 5432,
database = "provisioning",
user = "provisioning",
password = "${DB_PASSWORD}",
ssl_mode = "require",
pool = {
min_size = 10,
max_size = 50,
idle_timeout = 300,
},
},
},
auth = {
enabled = true,
jwt = {
issuer = "provisioning.${environment}",
audience = "control-center",
secret = "${JWT_SECRET}",
algorithm = "HS256",
expiration = 3600,
refresh_token_expiration = 604800, # 7 days
},
oauth2 = {
enabled = false,
},
ldap = {
enabled = false,
},
},
rbac = {
enabled = true,
default_role = "viewer",
roles = {
admin = {
description = "Infrastructure administrator",
permissions = ["*"],
},
operator = {
description = "Operations team member",
permissions = [
"orchestrator.view",
"orchestrator.execute",
"orchestrator.manage",
"policies.view",
],
},
developer = {
description = "Developer with read-only access",
permissions = [
"orchestrator.view",
"policies.view",
],
},
},
},
mfa = {
required = true, # Required in enterprise
methods = ["totp", "email"],
totp = {
enabled = true,
issuer = "Provisioning Enterprise",
algorithm = "SHA1",
digits = 6,
period = 30,
},
email = {
enabled = true,
expiration = 300,
},
},
policies = {
password = {
min_length = 16, # Stronger in production
require_uppercase = true,
require_lowercase = true,
require_digits = true,
require_special_chars = true, # Required in production
expiration_days = 90,
history_count = 5,
},
session = {
max_duration = 28800, # 8 hours
idle_timeout = 1800, # 30 minutes (stricter)
max_concurrent = 2, # Limit concurrent sessions
},
audit = {
enabled = true,
log_all_api_calls = true,
log_user_actions = true,
log_rbac_changes = true,
retention_days = 365, # 1 year
},
compliance = {
soc2 = {
enabled = true,
log_all_access = true,
require_mfa = true,
},
hipaa = {
enabled = false, # Unless required
},
},
},
rate_limit = {
enabled = true,
global = {
requests_per_second = 1000,
burst_size = 100,
},
per_user = {
requests_per_second = 100,
burst_size = 20,
},
},
cors = {
enabled = true,
allowed_origins = [
"https://control-center.${domain}",
"https://orchestrator.${domain}",
],
allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allowed_headers = ["Content-Type", "Authorization"],
max_age = 86400,
},
tls = {
enabled = true, # Required in production
cert_path = "/etc/provisioning/certs/control-center.crt",
key_path = "/etc/provisioning/certs/control-center.key",
min_version = "TLSv1.3",
},
monitoring = {
enabled = true,
metrics = {
enabled = true,
interval = 30,
export_format = "prometheus",
},
health_check = {
enabled = true,
interval = 30,
timeout = 10,
},
tracing = {
enabled = true,
sample_rate = 0.1,
},
},
logging = {
level = "info",
format = "json",
outputs = [
{
destination = "stdout",
level = "warn",
},
{
destination = "file",
path = "/var/log/provisioning/control-center/control-center.log",
level = "info",
rotation = {
max_size = "500MB",
max_backups = 30,
max_age = 90,
},
},
],
},
orchestrator = {
url = "http://orchestrator:9090",
timeout = 30,
retry = {
max_attempts = 3,
initial_backoff = 100,
max_backoff = 30000,
},
},
features = {
enable_audit_logging = true,
enable_policy_enforcement = true,
enable_experimental_ui = false,
},
}
# ============================================================================
# 3. MCP SERVER CONFIGURATION
# ============================================================================
let mcp_server = {
server = {
host = "0.0.0.0",
port = 8888,
protocol = "http", # HTTP in Kubernetes (UNIX socket elsewhere)
workers = 4,
keep_alive = 75,
},
capabilities = {
tools = {
enabled = true,
max_concurrent = 20,
timeout = 30000,
categories = [
"orchestrator",
"provisioning",
"workspace",
"configuration",
"system",
],
},
resources = {
enabled = true,
max_size = 1073741824, # 1GB
caching = {
enabled = true,
ttl = 3600,
max_entries = 1000,
},
},
prompts = {
enabled = true,
max_length = 10000,
template_engine = "jinja2",
},
sampling = {
enabled = true, # Enabled in enterprise for advanced use
models = ["claude-3-opus-20240229"],
default_model = "claude-3-opus-20240229",
temperature = 0.7,
max_tokens = 8192,
},
},
tools = {
orchestrator = {
enabled = true,
submit_workflow = {
description = "Submit workflows to orchestrator",
timeout = 60000,
},
list_workflows = {
description = "List all workflows",
timeout = 10000,
},
get_workflow = {
description = "Get workflow details",
timeout = 10000,
},
cancel_workflow = {
description = "Cancel running workflow",
timeout = 30000,
},
},
provisioning = {
enabled = true,
deploy_infrastructure = {
description = "Deploy infrastructure",
timeout = 300000,
},
validate_config = {
description = "Validate configuration",
timeout = 30000,
},
},
},
resources = {
file_system = {
enabled = true,
root_path = "/var/lib/provisioning",
allow_write = false, # Read-only in production
allowed_extensions = ["ncl", "toml", "yaml", "json"],
max_file_size = 10485760, # 10MB
},
database = {
enabled = true,
connections = {
orchestrator = {
type = "http",
url = "http://orchestrator:9090/api",
},
control_center = {
type = "http",
url = "http://control-center:8080/api",
},
},
},
},
integration = {
orchestrator = {
enabled = true,
url = "http://orchestrator:9090",
timeout = 30,
auth = {
method = "jwt",
token = "${ORCHESTRATOR_TOKEN}",
},
},
control_center = {
enabled = true,
url = "http://control-center:8080",
timeout = 30,
auth = {
method = "jwt",
token = "${CONTROL_CENTER_TOKEN}",
},
},
claude = {
enabled = true,
api_key = "${CLAUDE_API_KEY}",
model = "claude-3-opus-20240229",
max_tokens = 8192,
},
},
security = {
auth = {
enabled = true,
method = "jwt",
jwt_secret = "${JWT_SECRET}",
},
authorization = {
enabled = true,
role_based = true,
default_role = "viewer",
},
rate_limit = {
enabled = true,
requests_per_second = 100,
burst_size = 20,
},
input_validation = {
enabled = true,
max_input_size = 1000000,
sanitize_inputs = true,
},
},
monitoring = {
enabled = true,
metrics = {
enabled = true,
interval = 30,
export_format = "prometheus",
},
health_check = {
enabled = true,
interval = 30,
timeout = 10,
},
audit = {
enabled = true,
log_all_requests = true,
log_sensitive_data = false,
retention_days = 90,
},
},
logging = {
level = "info",
format = "json",
outputs = [
{
destination = "stdout",
level = "warn",
},
{
destination = "file",
path = "/var/log/provisioning/mcp-server/mcp-server.log",
level = "info",
rotation = {
max_size = "200MB",
max_backups = 15,
max_age = 30,
},
},
],
},
features = {
enable_audit_logging = true,
enable_caching = true,
enable_sampling = true,
enable_experimental_tools = false,
},
performance = {
worker_threads = 4,
blocking_threads = 2,
default_timeout = 30000,
max_timeout = 300000,
request_buffer_size = 1000,
response_buffer_size = 1000,
cache_enabled = true,
cache_size = "256MB",
cache_ttl = 3600,
},
}
# ============================================================================
# Export all configurations
# ============================================================================
{
orchestrator = orchestrator,
control_center = control_center,
mcp_server = mcp_server,
}
Reference in New Issue Copy Permalink