# Multi-Cloud, HCI, and Hybrid Environment Configuration # This file defines all target environments (regions, clouds, on-prem clusters) # Adding/removing environments is done by modifying this file only environments: # ============================================ # ADMIN / CONTROL PLANE REGION # ============================================ - name: admin-azure-westus role: admin provider: azure type: cloud region: westus location: "West US" enabled: true # Admin region hosts CI/CD, control plane, monitoring, orchestration components: - cicd - monitoring - orchestration - control-plane - argo-cd - terraform-cloud # Infrastructure configuration infrastructure: kubernetes: provider: aks version: "1.28" node_pools: system: count: 3 vm_size: "Standard_D4s_v3" control: count: 2 vm_size: "Standard_D4s_v3" networking: vnet_cidr: "10.0.0.0/16" subnets: - name: aks cidr: "10.0.1.0/24" - name: control cidr: "10.0.2.0/24" storage: type: "Premium_LRS" backup_retention_days: 90 # Azure-specific configuration azure: resource_group_name: "rg-admin-westus-001" subscription_id: "${AZURE_SUBSCRIPTION_ID}" tenant_id: "${AZURE_TENANT_ID}" # Secrets and identity secrets: provider: azure-keyvault key_vault_name: "kv-admin-secrets-001" identity: provider: azure-ad enable_rbac: true federated_identity: true # ============================================ # WORKLOAD REGIONS - AZURE # ============================================ - name: workload-azure-eastus role: workload provider: azure type: cloud region: eastus location: "East US" enabled: true components: - validators - sentries - rpc - monitoring infrastructure: kubernetes: provider: aks version: "1.28" node_pools: system: count: 1 vm_size: "Standard_D2plsv6" validators: count: 1 vm_size: "Standard_D2plsv6" sentries: count: 0 vm_size: "Standard_D2plsv6" rpc: count: 1 vm_size: "Standard_D2plsv6" networking: vnet_cidr: "10.1.0.0/16" subnets: - name: aks cidr: "10.1.1.0/24" - name: validators cidr: "10.1.2.0/24" - name: rpc cidr: "10.1.4.0/24" azure: resource_group_name: "rg-workload-eastus-001" arc_enabled: true # Enable Azure Arc for hybrid management secrets: provider: azure-keyvault key_vault_name: "kv-workload-eastus-001" identity: provider: azure-ad federated_identity: true - name: workload-azure-westeurope role: workload provider: azure type: cloud region: westeurope location: "West Europe" enabled: true components: - validators - sentries - rpc infrastructure: kubernetes: provider: aks version: "1.28" node_pools: system: count: 1 vm_size: "Standard_D2plsv6" validators: count: 1 vm_size: "Standard_D2plsv6" rpc: count: 1 vm_size: "Standard_D2plsv6" azure: resource_group_name: "rg-workload-we-001" arc_enabled: true # ============================================ # WORKLOAD REGIONS - AWS # ============================================ - name: workload-aws-usw2 role: workload provider: aws type: cloud region: us-west-2 location: "US West (Oregon)" enabled: true components: - validators - sentries - rpc infrastructure: kubernetes: provider: eks version: "1.28" node_pools: system: count: 1 instance_type: "t3.medium" validators: count: 1 instance_type: "t3.medium" rpc: count: 1 instance_type: "t3.medium" networking: vpc_cidr: "10.2.0.0/16" subnets: - name: eks cidr: "10.2.1.0/24" availability_zone: "us-west-2a" - name: validators cidr: "10.2.2.0/24" availability_zone: "us-west-2b" - name: rpc cidr: "10.2.4.0/24" availability_zone: "us-west-2a" storage: type: "gp3" volume_size_gb: 256 aws: account_id: "${AWS_ACCOUNT_ID}" region: "us-west-2" vpc_id: "" # Will be created by Terraform secrets: provider: aws-secrets-manager region: "us-west-2" identity: provider: aws-iam enable_irsa: true # IAM Roles for Service Accounts # Azure Arc integration (for hybrid management from Azure) azure_arc: enabled: true cluster_name: "workload-aws-usw2" resource_group: "rg-arc-aws-usw2" - name: workload-aws-euw1 role: workload provider: aws type: cloud region: eu-west-1 location: "Europe (Ireland)" enabled: true components: - validators - rpc infrastructure: kubernetes: provider: eks version: "1.28" node_pools: system: count: 1 instance_type: "t3.medium" validators: count: 1 instance_type: "t3.medium" rpc: count: 1 instance_type: "t3.medium" aws: account_id: "${AWS_ACCOUNT_ID}" region: "eu-west-1" secrets: provider: aws-secrets-manager identity: provider: aws-iam enable_irsa: true azure_arc: enabled: true cluster_name: "workload-aws-euw1" # ============================================ # WORKLOAD REGIONS - GOOGLE CLOUD # ============================================ - name: workload-gcp-ew1 role: workload provider: gcp type: cloud region: europe-west1 location: "Belgium" enabled: true components: - validators - rpc infrastructure: kubernetes: provider: gke version: "1.28" node_pools: system: count: 1 machine_type: "e2-medium" validators: count: 1 machine_type: "e2-medium" rpc: count: 1 machine_type: "e2-medium" networking: vpc_cidr: "10.3.0.0/16" subnets: - name: gke cidr: "10.3.1.0/24" region: "europe-west1" gcp: project_id: "${GCP_PROJECT_ID}" region: "europe-west1" zone: "europe-west1-b" secrets: provider: gcp-secret-manager identity: provider: gcp-iam workload_identity: true azure_arc: enabled: true cluster_name: "workload-gcp-ew1" # ============================================ # WORKLOAD REGIONS - IBM CLOUD # ============================================ - name: workload-ibm-us-south role: workload provider: ibm type: cloud region: us-south location: "Dallas, USA" enabled: false # Disabled by default, enable when needed components: - validators - rpc infrastructure: kubernetes: provider: iks version: "1.28" node_pools: system: count: 1 flavor: "b3c.4x16" validators: count: 1 flavor: "b3c.4x16" rpc: count: 1 flavor: "b3c.4x16" ibm: resource_group: "default" region: "us-south" secrets: provider: ibm-secrets-manager identity: provider: ibm-iam azure_arc: enabled: true cluster_name: "workload-ibm-us-south" # ============================================ # WORKLOAD REGIONS - ORACLE CLOUD # ============================================ - name: workload-oci-us-ashburn role: workload provider: oci type: cloud region: us-ashburn-1 location: "Ashburn, USA" enabled: false # Disabled by default components: - validators - rpc infrastructure: kubernetes: provider: oke version: "v1.28.2" node_pools: system: count: 1 shape: "VM.Standard.E4.Flex" ocpus: 2 memory_gb: 16 validators: count: 1 shape: "VM.Standard.E4.Flex" ocpus: 2 memory_gb: 16 rpc: count: 1 shape: "VM.Standard.E4.Flex" ocpus: 2 memory_gb: 16 oci: tenancy_ocid: "${OCI_TENANCY_OCID}" compartment_id: "${OCI_COMPARTMENT_ID}" region: "us-ashburn-1" secrets: provider: oci-vault identity: provider: oci-iam azure_arc: enabled: true cluster_name: "workload-oci-us-ashburn" # ============================================ # ON-PREM HCI CLUSTERS # ============================================ - name: workload-hci-dc1 role: workload provider: onprem type: hci region: datacenter-1 location: "On-Premises Datacenter 1" enabled: true components: - validators - rpc infrastructure: kubernetes: provider: k8s version: "1.28" # HCI-specific configuration hci: platform: azure-stack-hci cluster_name: "hci-cluster-dc1" node_pools: system: count: 1 vm_size: "Standard_D4s_v3" validators: count: 1 vm_size: "Standard_D4s_v3" rpc: count: 1 vm_size: "Standard_D4s_v3" networking: vlan_id: 100 subnet_cidr: "192.168.1.0/24" gateway: "192.168.1.1" onprem: datacenter: "dc1" hci_platform: "azure-stack-hci" vcenter: "vcenter.dc1.example.com" # If using vSphere # Azure Stack HCI integration azure_stack_hci: enabled: true resource_group: "rg-hci-dc1" arc_enabled: true cluster_name: "hci-cluster-dc1" secrets: provider: vault # HashiCorp Vault for on-prem vault_address: "https://vault.dc1.example.com" identity: provider: active-directory domain: "dc1.example.com" - name: workload-hci-edge1 role: workload provider: onprem type: hci region: edge-site-1 location: "Edge Site 1" enabled: false # Disabled by default components: - validators - rpc infrastructure: kubernetes: provider: k8s version: "1.28" hci: platform: vsphere cluster_name: "hci-cluster-edge1" node_pools: system: count: 1 vm_size: "Standard_D2s_v3" validators: count: 1 vm_size: "Standard_D2s_v3" rpc: count: 1 vm_size: "Standard_D2s_v3" onprem: datacenter: "edge1" hci_platform: "vsphere" vcenter: "vcenter.edge1.example.com" azure_arc: enabled: true cluster_name: "hci-cluster-edge1" secrets: provider: vault vault_address: "https://vault.edge1.example.com" identity: provider: active-directory domain: "edge1.example.com" # ============================================ # GLOBAL CONFIGURATION # ============================================ global: # Deployment strategy deployment_strategy: "blue-green" # blue-green, canary, rolling # Cross-cloud connectivity connectivity: type: "public" # public, vpn, private-link, expressroute # For private connectivity vpn: enabled: false provider: "azure-vpn" # azure-vpn, aws-vpn, gcp-vpn expressroute: enabled: false provider: "azure" direct_connect: enabled: false provider: "aws" # Service mesh for cross-cloud communication service_mesh: enabled: true provider: "istio" # istio, linkerd, kuma mTLS: true # Centralized secrets management secrets: primary_provider: "vault" # vault, azure-keyvault, aws-secrets-manager vault: address: "https://vault.global.example.com" namespace: "besu-network" # Centralized identity identity: provider: "azure-ad" # azure-ad, okta, keycloak federated_identity: true sso_enabled: true # Observability observability: logging: provider: "loki" # loki, elasticsearch, cloudwatch, azure-monitor central_endpoint: "https://loki.global.example.com" metrics: provider: "prometheus" # prometheus, datadog, new-relic central_endpoint: "https://prometheus.global.example.com" tracing: provider: "jaeger" # jaeger, zipkin, tempo central_endpoint: "https://jaeger.global.example.com" # Cost optimization cost_optimization: enable_spot_instances: false enable_autoscaling: true budget_alerts: true # Security security: zero_trust_networking: true policy_as_code: true enable_network_policies: true enable_pod_security_policies: true