# Info: KCL execution mode schemas for provisioning # Author: Mode System Implementation # Release: 1.0.0 # Date: 2025-10-06 """ Execution mode schemas defining deployment patterns and service configurations Modes: - solo: Single developer, local development - multi-user: Team collaboration with shared services - cicd: CI/CD pipeline execution - enterprise: Production enterprise deployment """ import provisioning.settings as cfg import provisioning.kcl.oci_registry as oci schema ExecutionMode: """ Base execution mode schema defining common configuration All execution modes inherit from this base schema and must specify service deployment strategy, authentication, and workspace policies. """ # Mode identifier mode_name: "solo" | "multi-user" | "cicd" | "enterprise" # Human-readable description description: str # Authentication strategy authentication: AuthenticationStrategy # Service deployment configurations services: ServiceDeployments # Extension source configuration extensions: ExtensionConfig # Workspace management policies workspaces: WorkspacePolicy # Security configuration security: SecurityConfig # Resource limits (optional, for multi-user/enterprise) resource_limits?: ResourceLimits check: len(description) > 0, "Mode description required" schema AuthenticationStrategy: """Authentication configuration for mode""" # Authentication type auth_type: "none" | "token" | "mtls" | "oauth" | "kms" # Token configuration (for token auth) token_config?: TokenConfig # mTLS configuration (for mtls auth) mtls_config?: MTLSConfig # OAuth configuration (for oauth auth) oauth_config?: OAuthConfig # SSH key storage location ssh_key_storage: "local" | "kms" | "vault" = "local" check: auth_type == "none" or ( (auth_type == "token" and token_config != Undefined) or (auth_type == "mtls" and mtls_config != Undefined) or (auth_type == "oauth" and oauth_config != Undefined) or (auth_type == "kms") ), "Auth config must match auth type" schema TokenConfig: """Token-based authentication configuration""" token_path: str token_format: "jwt" | "opaque" = "jwt" expiry_seconds: int = 86400 # 24 hours refresh_enabled: bool = True check: len(token_path) > 0, "Token path required" expiry_seconds > 0, "Expiry must be positive" schema MTLSConfig: """Mutual TLS authentication configuration""" client_cert_path: str client_key_path: str ca_cert_path: str verify_server: bool = True check: len(client_cert_path) > 0, "Client cert path required" len(client_key_path) > 0, "Client key path required" len(ca_cert_path) > 0, "CA cert path required" schema OAuthConfig: """OAuth 2.0 authentication configuration""" provider_url: str client_id: str client_secret_path: str scopes: [str] = ["read", "write"] redirect_uri?: str check: len(provider_url) > 0, "Provider URL required" len(client_id) > 0, "Client ID required" schema ServiceDeployments: """Service deployment configuration""" orchestrator: ServiceConfig control_center?: ServiceConfig coredns?: ServiceConfig gitea?: ServiceConfig oci_registry: oci.OCIRegistryConfig # Custom services custom_services?: {str: ServiceConfig} schema ServiceConfig: """Individual service configuration""" # Deployment location deployment: "local" | "remote" | "k8s" | "disabled" # For local deployment local_config?: LocalServiceConfig # For remote deployment remote_config?: RemoteServiceConfig # For Kubernetes deployment k8s_config?: K8sServiceConfig # Auto-start service auto_start: bool = False # Health check configuration health_check?: HealthCheck check: deployment == "disabled" or ( (deployment == "local" and local_config != Undefined) or (deployment == "remote" and remote_config != Undefined) or (deployment == "k8s" and k8s_config != Undefined) ), "Service config must match deployment type" schema LocalServiceConfig: """Local service deployment configuration""" binary_path?: str config_path?: str data_dir: str port: int bind_address: str = "127.0.0.1" tls_enabled: bool = False check: port > 0 and port < 65536, "Port must be 1-65535" len(data_dir) > 0, "Data directory required" schema RemoteServiceConfig: """Remote service configuration""" endpoint: str port?: int tls_enabled: bool = True verify_ssl: bool = True timeout: int = 30 retries: int = 3 check: len(endpoint) > 0, "Endpoint required" timeout > 0, "Timeout must be positive" schema K8sServiceConfig: """Kubernetes service deployment configuration""" namespace: str = "provisioning" deployment_name: str service_name: str replicas: int = 1 image: str image_pull_policy: "Always" | "IfNotPresent" | "Never" = "IfNotPresent" resources?: K8sResources check: len(namespace) > 0, "Namespace required" len(deployment_name) > 0, "Deployment name required" replicas > 0, "Replicas must be positive" schema K8sResources: """Kubernetes resource requirements""" cpu_request: str = "100m" cpu_limit: str = "500m" memory_request: str = "128Mi" memory_limit: str = "512Mi" schema HealthCheck: """Service health check configuration""" enabled: bool = True endpoint: str = "/health" interval: int = 10 # seconds timeout: int = 5 healthy_threshold: int = 2 unhealthy_threshold: int = 3 check: interval > 0, "Interval must be positive" timeout > 0 and timeout < interval, "Timeout must be less than interval" schema ExtensionConfig: """Extension source and distribution configuration""" # Extension source: local files, gitea, or OCI registry source: "local" | "gitea" | "oci" | "mixed" # Local path for extensions (for local source) local_path?: str # Gitea configuration (for gitea source) gitea_config?: GiteaConfig # OCI registry configuration (for oci source) oci_registry?: OCIExtensionConfig # Allow mixed sources allow_mixed: bool = False check: source == "local" and local_path != Undefined or source == "gitea" and gitea_config != Undefined or source == "oci" and oci_registry != Undefined or source == "mixed", "Extension config must match source type" schema GiteaConfig: """Gitea extension repository configuration""" url: str organization: str = "provisioning" username?: str token_path?: str verify_ssl: bool = True check: len(url) > 0, "Gitea URL required" schema OCIExtensionConfig: """OCI registry extension configuration""" enabled: bool = True endpoint: str namespace: str = "provisioning-extensions" auth_token_path?: str tls_enabled: bool = True verify_ssl: bool = True cache_dir: str = "~/.provisioning/oci-cache" check: len(endpoint) > 0, "OCI endpoint required" len(namespace) > 0, "OCI namespace required" schema WorkspacePolicy: """Workspace management policies""" # Workspace locking locking: "disabled" | "enabled" | "required" # Lock provider (if locking enabled) lock_provider?: "gitea" | "etcd" | "redis" | "filesystem" # Git integration requirement git_integration: "disabled" | "optional" | "required" # Workspace isolation isolation: "none" | "user" | "strict" = "user" # Maximum concurrent workspaces per user max_workspaces_per_user?: int check: locking == "disabled" or lock_provider != Undefined, \ "Lock provider required when locking enabled" git_integration in ["disabled", "optional", "required"], \ "Invalid git integration setting" schema SecurityConfig: """Security policies for mode""" # Encryption requirements encryption_at_rest: bool = False encryption_in_transit: bool = False # Secret management secret_provider: cfg.SecretProvider = cfg.SecretProvider {} # DNS modification policy dns_modification: "none" | "coredns" | "system" = "none" # Audit logging audit_logging: bool = False audit_log_path?: str # Network policies network_isolation: bool = False check: not audit_logging or audit_log_path != Undefined, \ "Audit log path required when audit logging enabled" schema ResourceLimits: """Resource limits for multi-user/enterprise modes""" # Per-user limits max_servers_per_user: int = 10 max_cpu_cores_per_user: int = 32 max_memory_gb_per_user: int = 128 max_storage_gb_per_user: int = 500 # Global limits max_total_servers?: int max_total_cpu_cores?: int max_total_memory_gb?: int check: max_servers_per_user > 0, "Max servers must be positive" max_cpu_cores_per_user > 0, "Max CPU must be positive" max_memory_gb_per_user > 0, "Max memory must be positive" # ============================================================================ # Concrete Mode Schemas # ============================================================================ schema SoloMode(ExecutionMode): """ Solo mode: Single developer local development Characteristics: - No authentication required - Local service deployment - Optional OCI registry for extension testing - No workspace locking - Minimal security constraints Example: SoloMode { mode_name = "solo" description = "Local development environment" } """ mode_name: "solo" = "solo" description: str = "Single developer local development mode" authentication: AuthenticationStrategy = AuthenticationStrategy { auth_type = "none" ssh_key_storage = "local" } services: ServiceDeployments = ServiceDeployments { orchestrator = ServiceConfig { deployment = "local" auto_start = True local_config = LocalServiceConfig { data_dir = "~/.provisioning/orchestrator" port = 8080 } } control_center = ServiceConfig { deployment = "disabled" } coredns = ServiceConfig { deployment = "disabled" } gitea = ServiceConfig { deployment = "disabled" } oci_registry = oci.OCIRegistryConfig { deployment = "local" type = "zot" endpoint = "localhost" port = 5000 tls_enabled = False auth_required = False local = oci.LocalOCIConfig { data_dir = "~/.provisioning/oci-registry" config_path = "~/.provisioning/oci-registry/config.json" auto_start = False } namespaces = oci.OCINamespaces { extensions = "dev-extensions" kcl_packages = "dev-kcl" platform_images = "dev-platform" test_images = "dev-test" } } } extensions: ExtensionConfig = ExtensionConfig { source = "local" local_path = "./provisioning/extensions" allow_mixed = True } workspaces: WorkspacePolicy = WorkspacePolicy { locking = "disabled" git_integration = "optional" isolation = "none" } security: SecurityConfig = SecurityConfig { encryption_at_rest = False encryption_in_transit = False dns_modification = "none" audit_logging = False network_isolation = False } schema MultiUserMode(ExecutionMode): """ Multi-user mode: Team collaboration with shared services Characteristics: - Token-based authentication - Remote shared services - OCI registry for extension distribution - Workspace locking enabled - Git integration required - User resource limits Example: MultiUserMode { mode_name = "multi-user" description = "Team collaboration environment" } """ mode_name: "multi-user" = "multi-user" description: str = "Team collaboration with shared services" authentication: AuthenticationStrategy = AuthenticationStrategy { auth_type = "token" token_config = TokenConfig { token_path = "~/.provisioning/tokens/auth" token_format = "jwt" expiry_seconds = 86400 refresh_enabled = True } ssh_key_storage = "local" } services: ServiceDeployments = ServiceDeployments { orchestrator = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "orchestrator.company.local" port = 8080 tls_enabled = True verify_ssl = True timeout = 30 retries = 3 } } control_center = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "control.company.local" port = 8081 tls_enabled = True } } coredns = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "dns.company.local" port = 53 tls_enabled = False } } gitea = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "git.company.local" port = 443 tls_enabled = True } } oci_registry = oci.OCIRegistryConfig { deployment = "remote" type = "harbor" endpoint = "harbor.company.local" tls_enabled = True auth_required = True remote = oci.RemoteOCIConfig { timeout = 30 retries = 3 verify_ssl = True } namespaces = oci.OCINamespaces { extensions = "provisioning-extensions" kcl_packages = "provisioning-kcl" platform_images = "provisioning-platform" test_images = "provisioning-test" } } } extensions: ExtensionConfig = ExtensionConfig { source = "oci" oci_registry = OCIExtensionConfig { enabled = True endpoint = "harbor.company.local" namespace = "provisioning-extensions" auth_token_path = "~/.provisioning/tokens/oci" tls_enabled = True verify_ssl = True cache_dir = "~/.provisioning/oci-cache" } } workspaces: WorkspacePolicy = WorkspacePolicy { locking = "enabled" lock_provider = "gitea" git_integration = "required" isolation = "user" max_workspaces_per_user = 5 } security: SecurityConfig = SecurityConfig { encryption_at_rest = False encryption_in_transit = True dns_modification = "coredns" audit_logging = True audit_log_path = "/var/log/provisioning/audit.log" network_isolation = False } resource_limits: ResourceLimits = ResourceLimits { max_servers_per_user = 10 max_cpu_cores_per_user = 32 max_memory_gb_per_user = 128 max_storage_gb_per_user = 500 max_total_servers = 100 max_total_cpu_cores = 320 max_total_memory_gb = 1024 } schema CICDMode(ExecutionMode): """ CI/CD mode: Automated pipeline execution Characteristics: - Token or mTLS authentication - Remote service endpoints - OCI registry for artifacts - No workspace locking (stateless) - Git integration required - Ephemeral workspaces Example: CICDMode { mode_name = "cicd" description = "CI/CD pipeline environment" } """ mode_name: "cicd" = "cicd" description: str = "CI/CD pipeline automated execution" authentication: AuthenticationStrategy = AuthenticationStrategy { auth_type = "token" token_config = TokenConfig { token_path = "/var/run/secrets/provisioning/token" token_format = "jwt" expiry_seconds = 3600 # 1 hour refresh_enabled = False } ssh_key_storage = "kms" } services: ServiceDeployments = ServiceDeployments { orchestrator = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "orchestrator.cicd.local" port = 8080 tls_enabled = True verify_ssl = True timeout = 60 retries = 5 } } control_center = ServiceConfig { deployment = "disabled" } coredns = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "dns.cicd.local" port = 53 } } gitea = ServiceConfig { deployment = "remote" remote_config = RemoteServiceConfig { endpoint = "git.cicd.local" port = 443 tls_enabled = True } } oci_registry = oci.OCIRegistryConfig { deployment = "remote" type = "harbor" endpoint = "registry.cicd.local" tls_enabled = True auth_required = True remote = oci.RemoteOCIConfig { timeout = 60 retries = 5 verify_ssl = True } namespaces = oci.OCINamespaces { extensions = "cicd-extensions" kcl_packages = "cicd-kcl" platform_images = "cicd-platform" test_images = "cicd-test" } } } extensions: ExtensionConfig = ExtensionConfig { source = "oci" oci_registry = OCIExtensionConfig { enabled = True endpoint = "registry.cicd.local" namespace = "cicd-extensions" auth_token_path = "/var/run/secrets/provisioning/oci-token" tls_enabled = True verify_ssl = True cache_dir = "/tmp/provisioning-oci-cache" } } workspaces: WorkspacePolicy = WorkspacePolicy { locking = "disabled" git_integration = "required" isolation = "strict" max_workspaces_per_user = 1 } security: SecurityConfig = SecurityConfig { encryption_at_rest = True encryption_in_transit = True dns_modification = "coredns" audit_logging = True audit_log_path = "/var/log/provisioning/cicd-audit.log" network_isolation = True } resource_limits: ResourceLimits = ResourceLimits { max_servers_per_user = 5 max_cpu_cores_per_user = 16 max_memory_gb_per_user = 64 max_storage_gb_per_user = 200 } schema EnterpriseMode(ExecutionMode): """ Enterprise mode: Production enterprise deployment Characteristics: - mTLS or OAuth authentication - Kubernetes-deployed services - Enterprise OCI registry (Harbor HA) - Workspace locking required - Git integration required - Full encryption and auditing - Strict resource limits Example: EnterpriseMode { mode_name = "enterprise" description = "Production enterprise environment" } """ mode_name: "enterprise" = "enterprise" description: str = "Production enterprise deployment with full security" authentication: AuthenticationStrategy = AuthenticationStrategy { auth_type = "mtls" mtls_config = MTLSConfig { client_cert_path = "/etc/provisioning/certs/client.crt" client_key_path = "/etc/provisioning/certs/client.key" ca_cert_path = "/etc/provisioning/certs/ca.crt" verify_server = True } ssh_key_storage = "kms" } services: ServiceDeployments = ServiceDeployments { orchestrator = ServiceConfig { deployment = "k8s" k8s_config = K8sServiceConfig { namespace = "provisioning-system" deployment_name = "orchestrator" service_name = "orchestrator-svc" replicas = 3 image = "harbor.enterprise.local/provisioning/orchestrator:latest" resources = K8sResources { cpu_request = "500m" cpu_limit = "2000m" memory_request = "1Gi" memory_limit = "4Gi" } } } control_center = ServiceConfig { deployment = "k8s" k8s_config = K8sServiceConfig { namespace = "provisioning-system" deployment_name = "control-center" service_name = "control-center-svc" replicas = 2 image = "harbor.enterprise.local/provisioning/control-center:latest" } } coredns = ServiceConfig { deployment = "k8s" k8s_config = K8sServiceConfig { namespace = "kube-system" deployment_name = "coredns" service_name = "kube-dns" replicas = 2 image = "registry.k8s.io/coredns/coredns:latest" } } gitea = ServiceConfig { deployment = "k8s" k8s_config = K8sServiceConfig { namespace = "provisioning-system" deployment_name = "gitea" service_name = "gitea-svc" replicas = 2 image = "gitea/gitea:latest" } } oci_registry = oci.OCIRegistryConfig { deployment = "remote" type = "harbor" endpoint = "harbor.enterprise.local" tls_enabled = True auth_required = True remote = oci.RemoteOCIConfig { timeout = 60 retries = 5 verify_ssl = True } namespaces = oci.OCINamespaces { extensions = "prod-extensions" kcl_packages = "prod-kcl" platform_images = "prod-platform" test_images = "test-images" } } } extensions: ExtensionConfig = ExtensionConfig { source = "oci" oci_registry = OCIExtensionConfig { enabled = True endpoint = "harbor.enterprise.local" namespace = "prod-extensions" auth_token_path = "/etc/provisioning/tokens/oci" tls_enabled = True verify_ssl = True cache_dir = "/var/cache/provisioning/oci" } } workspaces: WorkspacePolicy = WorkspacePolicy { locking = "required" lock_provider = "etcd" git_integration = "required" isolation = "strict" max_workspaces_per_user = 3 } security: SecurityConfig = SecurityConfig { encryption_at_rest = True encryption_in_transit = True secret_provider = cfg.SecretProvider { provider = "kms" kms_config = cfg.KmsConfig { server_url = "https://kms.enterprise.local" auth_method = "certificate" client_cert_path = "/etc/provisioning/certs/kms-client.crt" client_key_path = "/etc/provisioning/certs/kms-client.key" ca_cert_path = "/etc/provisioning/certs/kms-ca.crt" verify_ssl = True } } dns_modification = "system" audit_logging = True audit_log_path = "/var/log/provisioning/enterprise-audit.log" network_isolation = True } resource_limits: ResourceLimits = ResourceLimits { max_servers_per_user = 20 max_cpu_cores_per_user = 64 max_memory_gb_per_user = 256 max_storage_gb_per_user = 1000 max_total_servers = 500 max_total_cpu_cores = 2000 max_total_memory_gb = 8192 }