sharang
6cd1a1546c
Lands the per-VM × per-service manifest tree, per-env overlays, VM specs
for SysEleven provisioning, DNS zone placeholder, plan/apply/validate
scripts, and a Makefile.
Structure (per INFRASTRUCTURE.md §2 + IMPLEMENTATION_PLAN.md M1.1):
- manifests/{vm-edge,vm-control,vm-data,stage}/<service>.toml — 35 stubs
- overlays/{dev,stage,prod}/overlay.toml — env-selection rules
- vms/{vm-edge,vm-control,vm-data,stage}.toml — OpenStack flavor/IP/firewall
- dns/yourplatform.com.zone.template — PowerDNS zone (body lands in M0.3)
- cluster.toml.tmpl — cluster-level config rendered per env
- scripts/validate.sh — TOML parse + structural sanity
- scripts/plan.sh — merge manifests + overlay → .orca-out/<env>/
- scripts/apply.sh — push to Orca controller (no-op until M1.2)
- Makefile — validate / plan / apply / diff / clean
Each manifest header names the milestone that finalises its real values;
images today are 'placeholder' for services that need their own repo to
exist first. make validate stays green; apply gates on ORCA_API_URL.
CI workflow swapped from the broken 'orca validate' to 'make validate',
which calls a Python TOML parser plus structural checks (placement.node
matches vm dir, resources.memory present, no mis-nested keys).
Refs: M1.1
Manifests
One service.toml per service, grouped by host VM, per INFRASTRUCTURE.md §2.
| Directory | VM | Plane(s) | Owner milestone of "real" config |
|---|---|---|---|
vm-edge/ |
vm-edge | Identity + Infra | M2.1 (Keycloak), M3.1 (Infisical), M0.3 (PowerDNS), M2.x (Gitea), M1.2 (proxy) |
vm-control/ |
vm-control | Control | M5.1 (portal), M4.1 (tenant-registry), M8.1 (ERPNext), M3.2 (Stalwart) |
vm-data/ |
vm-data | Data | M6.x (CERTifAI), M7.x (compliance), M4.1 (pg-app) |
stage/ |
stage | App plane only | promotion target of stage builds |
Each file in this directory is currently a shape-only stub — fields are set but image references and env wiring will be finalised by the milestone listed in the file header.
Adding a new service
- Pick the owning VM per
INFRASTRUCTURE.md §2. - Create
<vm-name>/<service-name>.tomlfollowing the shape of an existing stub. - Set
placement.node = "<vm-name>",resources.memory/cpuper the co-tenant budget inINFRASTRUCTURE.md §6. - Reference secrets as
${secrets.NAME}— Infisical resolves these. No plaintext values except the Keycloak bootstrap DB URI exception (INFRASTRUCTURE.md §8 rule 3). - Run
make validatebefore pushing.
Validation
make validate parses every TOML and checks required fields (name, image OR build OR module, placement.node, resources.memory). It does NOT contact a running cluster.
make plan ENV=<env> merges the base manifest with the matching overlay in overlays/<env>/ and prints the resulting service definitions. It is a no-op until matching overlays exist for the env.
make apply ENV=<env> is gated on a real Orca controller URL — refuses to run until ORCA_API_URL is set (lands in M1.2).