sbanszky/EU-startup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Micro–DC/docs/repo-split-charter.toon.yaml

Browse Source
This commit is contained in:
sbanszky
2025-12-04 22:59:17 +00:00
parent 0640f02025
commit a283a7e0fd
1 changed files with 261 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

261
Micro–DC/docs/repo-split-charter.toon.yaml Normal file
View File

@@ -0,0 +1,261 @@
meta:
format: toon
version: "1.0"
kind: "repo_split_charter"
name: "Sovereign Platform — 3-Repo Split Charter"
location_hint: "sovereign-governance/docs/repo-split-charter.toon.yaml"
generated_by: "AI Council OS — ORIGINZERO"
status: "draft"
context:
objective: >
Define a clear 3-repo structure (infra foundation, platform, governance) for
sovereign micro-DC deployments, including responsibilities, dependencies,
and data flows. This charter serves as the canonical reference when
splitting or refactoring repositories.
background: >
Initial implementation may use a single monorepo. This charter describes the
target 3-repo architecture and the contracts between them, so the split can
be performed mechanically once teams and tooling are ready.
principles:
- "Governance code (policies, classifications, toolset profiles) is separated from implementation code."
- "Repositories map to stable responsibility domains and teams."
- "Dependencies are one-way: governance → infra, governance → platform, infra → platform."
- "No circular dependencies between repos."
- "All artifacts and contracts are versioned and traceable."
repos:
- id: "R1"
name: "sovereign-infra-foundation"
description: >
Physical, network, bare-metal, and hypervisor definition for sovereign
micro-DC modules. Knows about sites, racks, networks, host roles; does not
define business workloads.
ownership:
primary_roles:
- "Physical Infrastructure & Facility Engineering Lead"
- "Network Architect"
supporting_roles:
- "Virtualization Architect"
- "Capacity & Performance Engineer"
responsibilities:
- "Define site manifests (location, IT load, racks, energy profile)."
- "Define and deploy network underlay/overlay (leaf-spine, VRFs, VPNs)."
- "Define bare-metal profiles and provisioning flows."
- "Define hypervisor configuration (e.g., Proxmox roles, host groups)."
- "Expose stable, machine-readable outputs consumed by platform."
non_responsibilities:
- "Does not own Kubernetes clusters or workloads."
- "Does not define data classification or residency rules."
- "Does not define platform observability or admission policies."
key_paths_example:
facility:
- "facility/site_manifests/<SITE_CODE>.yaml"
- "facility/rack_layouts/"
network:
- "network/terraform/modules/"
- "network/terraform/sites/<SITE_CODE>/"
- "network/tests/batfish/"
baremetal_and_hypervisor:
- "baremetal/profiles/"
- "hypervisor/ansible/"
ci_requirements:
- "Terraform validate/plan for network changes."
- "Ansible lint and idempotence checks for host roles."
- "Batfish tests for network and sovereignty invariants."
- "Schema validation for site manifests."
- id: "R2"
name: "sovereign-platform"
description: >
Kubernetes clusters, GitOps configuration, platform services, and
observability for sovereign micro-DC modules. Consumes infra and
governance artifacts to provide secure, multi-tenant platforms.
ownership:
primary_roles:
- "Principal SRE / Automation & IaC Lead"
- "Platform Lifecycle & Operations Lead"
supporting_roles:
- "SRE Reliability Engineering Lead"
- "CI/CD & GitOps Governance Lead"
responsibilities:
- "Define and manage K8s clusters per site."
- "Define Argo CD applications and projects (infra vs tenant)."
- "Deploy and configure observability stack (Prometheus, Loki, Tempo, Grafana)."
- "Apply policy bundles (Kyverno/OPA) provided by governance."
- "Implement namespace, storageClass, and quota conventions aligned with data policies."
- "Expose SLOs/SLIs including AI/ML fabric SLOs and sustainability metrics."
non_responsibilities:
- "Does not define physical facility or base network topologies."
- "Does not author data classification or residency rules (consumes them)."
- "Does not define global RBAC/role taxonomy (consumes from governance)."
key_paths_example:
k8s_clusters:
- "k8s/clusters/<SITE_CODE>/cluster-bootstrap/"
- "k8s/clusters/<SITE_CODE>/apps-of-apps.yaml"
addons:
- "addons/monitoring-logging-security/{prometheus,loki,tempo,grafana,kyverno}/"
gitops:
- "gitops/argo-apps/"
- "gitops/projects/"
ci_requirements:
- "K8s schema validation and manifest linting."
- "Policy-as-code tests using governance policy bundles."
- "Argo CD dry-run or diff checks for critical environments."
- "SLO rule validation (Prometheus rule files)."
- id: "R3"
name: "sovereign-governance"
description: >
Defines the laws of the system: data classification, residency rules,
toolset profiles, sustainability KPIs, RBAC models, and policy bundles.
Does not depend on infra or platform repos.
ownership:
primary_roles:
- "Sovereign Compliance & Sustainability Lead"
- "Security Architect"
supporting_roles:
- "DPO / Legal (Reviewers)"
- "CI/CD & GitOps Governance Lead"
responsibilities:
- "Define and maintain data classification and residency rules."
- "Define workload offloading policies (local micro-DC vs hyperscale cloud)."
- "Define sustainability KPIs and targets (PUE, WUE, renewables, reuse)."
- "Define RBAC/role taxonomy and IAM governance models."
- "Define toolset profiles (e.g., minimum toolset MVP)."
- "Author and test policy bundles (Kyverno/OPA) for cluster and pipeline enforcement."
- "Version and publish policy bundles and schemas for consumption by other repos."
non_responsibilities:
- "Does not manage specific site infrastructure or cluster definitions."
- "Does not operate CI/CD or production clusters directly."
key_paths_example:
data_policies:
- "data-policies/data-classification.yaml"
- "data-policies/residency-rules.yaml"
- "data-policies/workload-offloading-policy.yaml"
sustainability:
- "sustainability/sustainability-kpis.yaml"
- "sustainability/reporting-templates/"
rbac_and_iam:
- "rbac-and-iam/rbac-and-iam.yaml"
- "rbac-and-iam/role-definitions/"
policy_bundles:
- "policy-bundles/kyverno/"
- "policy-bundles/opa/"
toolset_profiles:
- "toolset-profiles/minimum-toolset-profile.toon.yaml"
ci_requirements:
- "Policy unit tests and snapshot tests against sample manifests."
- "Schema validation for data, residency, and RBAC definitions."
- "Versioning and publication of policy bundles as artifacts (e.g., tags)."
dependencies_and_flow:
dependency_direction:
- "R3 (sovereign-governance) → R1 (sovereign-infra-foundation)"
- "R3 (sovereign-governance) → R2 (sovereign-platform)"
- "R1 (sovereign-infra-foundation) → R2 (sovereign-platform)"
- "No dependencies: R1 → R3, R2 → R1, or R2 → R3"
governance_to_infra:
consumed_artifacts:
- "Data classification levels and residency rules (for backup/DR topology)."
- "Sustainability KPIs (for site design and power/cooling decisions)."
- "Toolset profiles (for IaC and network verification tool choices)."
consumption_modes:
- "Human-readable docs and runbooks."
- "Schemas and enums used in site manifests."
- "Policy bundles referenced in infra CI (optional)."
governance_to_platform:
consumed_artifacts:
- "Data classification and residency rules (for namespaces, storageClasses)."
- "Workload offloading policies (for local vs cloud decisions)."
- "RBAC models (for cluster roles, Argo Projects, tenant boundaries)."
- "Toolset profiles (for GitOps and observability stack)."
- "Kyverno/OPA policy bundles and test harnesses."
consumption_modes:
- "Pinned policy bundle versions in cluster configs (e.g. policy-bundle-vYYYY.MM.DD)."
- "CI pipeline inputs for policy-as-code tests."
infra_to_platform:
consumed_artifacts:
- "Site manifests (site_code, country_code, IT load, rack counts, GPU vs CPU)."
- "Network overlays and endpoints (VRFs, IP ranges, VIPs, DNS zones)."
- "Node pool definitions or abstracted host inventory (compute/storage/gpu)."
consumption_modes:
- "Generated config files or APIs providing site metadata."
- "Validation schemas shared across repos to ensure compatibility."
workflows_examples:
new_site_onboarding:
steps:
- repo: "R1"
description: >
Define new site manifest, rack layouts, and network Terraform configs.
Run infra CI (Terraform, Ansible, Batfish). Deploy infra.
- repo: "R2"
description: >
Create new K8s cluster definition for the site, referencing site
metadata from R1 and policy bundle version from R3. Run platform CI
(schema checks, policy tests, Argo dry-run). Bootstrap cluster.
- repo: "R3"
description: >
Only required if new country/jurisdiction needs specific overlays
(data residency, sustainability targets, RBAC variants). Publish new
policy bundle version if needed.
policy_change_flow:
steps:
- repo: "R3"
description: >
Update data classification or residency rules, adjust policies, and
run governance CI. Publish new tagged policy bundle version.
- repo: "R2"
description: >
Bump policy bundle version, run CI. Fix any manifest violations and
redeploy clusters with updated policies.
- repo: "R1"
description: >
Update infra topology only if required by new residency or DR rules
(e.g., backup targets, network segmentation). Run infra CI and deploy.
migration_from_monorepo:
starting_point: >
Single repo containing infra-foundation, platform-clusters, and
policies-and-compliance as top-level directories.
steps:
- id: "M1"
name: "Stabilize Layout and Ownership"
description: >
Ensure current monorepo matches the intended directory structure:
infra code under infra-foundation/, platform code under
platform-clusters/, governance artifacts under policies-and-compliance/.
Establish CODEOWNERS per directory.
- id: "M2"
name: "Extract Governance Repo"
description: >
Use git history filtering to extract policies-and-compliance/ and
related docs/tests into sovereign-governance.git with full history.
Add README and CI in the new repo.
- id: "M3"
name: "Create Infra and Platform Repos"
description: >
Split remaining monorepo content into sovereign-infra-foundation.git
(infra-foundation/*) and sovereign-platform.git (platform-clusters/*,
plus shared tooling/docs as appropriate), preserving history where
possible.
- id: "M4"
name: "Wire Dependencies"
description: >
Implement artifact or submodule mechanisms so infra and platform repos
can consume governance policy bundles and schemas. Implement mechanisms
for platform to consume site metadata from infra.
- id: "M5"
name: "Update CI/CD and Documentation"
description: >
Update CI/CD configs in all three repos to match the new split, ensure
all cross-repo flows are documented, and deprecate monorepo pipelines.
governance:
change_process:
- "Any change to this charter requires approval from: Sovereign Compliance & Sustainability Lead, Security Architect, Principal SRE / Automation & IaC Lead."
- "Repo creation, rename, or decommission must reference this charter and justify deviations."
- "Cross-repo contracts (schemas, policy bundle formats) must be versioned and backwards compatible when feasible."
review_cadence:
- "Formal review at least annually or after major architectural changes (new regions, new classifications, new regulatory regimes)."