Klarity

Appearance

Safenai architecture

This document aims to describe Safenai architecture.

Networks

In the target architecture, we have 2 types of networks:

  • Private Network: this one is used for internal clusters: development ones (integration and sandbox) and working Env one.
  • Public Network: this one is used to expose public services.

Environments

There are 2 categories of environments: development and production.

Development

This category is used to host internal environments that are used for testing purposes.

Integration

This environment will host:

  • Safenai workbench (alpha/beta)
  • Tools & Dev (alpha & beta)

Sandbox

This is a sandbox environment for testing new infra evolutions and upgrades.

Production

This category is used to host various production environments

Shared-Services

This environment will host applications that are used by all other envs, sush as:

  • IAM: an Identity Access Management Solution for authentication and SSO
  • Vault: A tool specifically designed for securely accessing and storing secrets. It provides secure secret storage, dynamic secrets, data encryption, and access control.

Computational Env

This environment will host the cloud computing.

Working Env

This environment will host Dev Tools, Gitlab and DevOps tools (nexus/artifactory/harbor, sonarqube/kiuwan, Gitlab/GitlabCI/jenkins)

Prod

This environment will host the website, the marketplace, the wiki and the workbench.

Logs

This environment will host a solution to centralize all logs.

Flows

  • EXT-01: unauthenticated users accessing the website and the public part of the marketplace
  • AUTH-01: Flow to authenticate extenal users over the IAM solution
  • AUTH-02: Flow to authenticate Safenai collaboraters over the IAM solution
  • AUTH-03, AUTH-04: Flow for authenticated clients to access the protected resources.
  • AUTH-05, AUTH-06, AUTH-07, AUTH-08: Flow for internal authenticated users to access internal environmets/applications.
  • LOG-01, LOG-02, LOG-03, LOG-04, LOG-05, LOG-06: flow to send logs to the log application
  • DATA-01, DATA-02, DATA-03, DATA-04, DATA-05, DATA-06: flows to access data stores (SQL database, redis, bloc storage and object storage)

Kubernetes

Each kubernetes cluster has at least 3 namespaces :

  • istio-system: the namespace where we deploy istio which is behind a LoadBalancer.
  • obesrvability: the namesapce where we deploy the observability stack/agents.
  • app: the namespace where we deploy Safenai apps.

K8S infrastructure architecture

K8S infra architecture

We assume that we're in a region with multiple Availability Zones (AZ). In each AZ we have a private subnet, in which we have a controle plane node and at least one worker node. Each cluster has it own Load Balancer which is connected to istio.

K3S infrastructure architecture

Following the official doc, we can use High-Availability K3s for Integration and GPU clusters and Single-server for sandbox cluster and test purposes