smom-dbis-138/config/environments.yaml

# Multi-Cloud, HCI, and Hybrid Environment Configuration
# This file defines all target environments (regions, clouds, on-prem clusters)
# Adding/removing environments is done by modifying this file only

environments:
  # ============================================
  # ADMIN / CONTROL PLANE REGION
  # ============================================
  - name: admin-azure-westus
    role: admin
    provider: azure
    type: cloud
    region: westus
    location: "West US"
    enabled: true
    
    # Admin region hosts CI/CD, control plane, monitoring, orchestration
    components:
      - cicd
      - monitoring
      - orchestration
      - control-plane
      - argo-cd
      - terraform-cloud
    
    # Infrastructure configuration
    infrastructure:
      kubernetes:
        provider: aks
        version: "1.28"
        node_pools:
          system:
            count: 3
            vm_size: "Standard_D4s_v3"
          control:
            count: 2
            vm_size: "Standard_D4s_v3"
      
      networking:
        vnet_cidr: "10.0.0.0/16"
        subnets:
          - name: aks
            cidr: "10.0.1.0/24"
          - name: control
            cidr: "10.0.2.0/24"
      
      storage:
        type: "Premium_LRS"
        backup_retention_days: 90
    
    # Azure-specific configuration
    azure:
      resource_group_name: "rg-admin-westus-001"
      subscription_id: "${AZURE_SUBSCRIPTION_ID}"
      tenant_id: "${AZURE_TENANT_ID}"
    
    # Secrets and identity
    secrets:
      provider: azure-keyvault
      key_vault_name: "kv-admin-secrets-001"
    
    identity:
      provider: azure-ad
      enable_rbac: true
      federated_identity: true

  # ============================================
  # WORKLOAD REGIONS - AZURE
  # ============================================
  - name: workload-azure-eastus
    role: workload
    provider: azure
    type: cloud
    region: eastus
    location: "East US"
    enabled: true
    
    components:
      - validators
      - sentries
      - rpc
      - monitoring
    
    infrastructure:
      kubernetes:
        provider: aks
        version: "1.28"
        node_pools:
          system:
            count: 1
            vm_size: "Standard_D2plsv6"
          validators:
            count: 1
            vm_size: "Standard_D2plsv6"
          sentries:
            count: 0
            vm_size: "Standard_D2plsv6"
          rpc:
            count: 1
            vm_size: "Standard_D2plsv6"
      
      networking:
        vnet_cidr: "10.1.0.0/16"
        subnets:
          - name: aks
            cidr: "10.1.1.0/24"
          - name: validators
            cidr: "10.1.2.0/24"
          - name: rpc
            cidr: "10.1.4.0/24"
    
    azure:
      resource_group_name: "rg-workload-eastus-001"
      arc_enabled: true  # Enable Azure Arc for hybrid management
    
    secrets:
      provider: azure-keyvault
      key_vault_name: "kv-workload-eastus-001"
    
    identity:
      provider: azure-ad
      federated_identity: true

  - name: workload-azure-westeurope
    role: workload
    provider: azure
    type: cloud
    region: westeurope
    location: "West Europe"
    enabled: true
    
    components:
      - validators
      - sentries
      - rpc
    
    infrastructure:
      kubernetes:
        provider: aks
        version: "1.28"
        node_pools:
          system:
            count: 1
            vm_size: "Standard_D2plsv6"
          validators:
            count: 1
            vm_size: "Standard_D2plsv6"
          rpc:
            count: 1
            vm_size: "Standard_D2plsv6"
    
    azure:
      resource_group_name: "rg-workload-we-001"
      arc_enabled: true

  # ============================================
  # WORKLOAD REGIONS - AWS
  # ============================================
  - name: workload-aws-usw2
    role: workload
    provider: aws
    type: cloud
    region: us-west-2
    location: "US West (Oregon)"
    enabled: true
    
    components:
      - validators
      - sentries
      - rpc
    
    infrastructure:
      kubernetes:
        provider: eks
        version: "1.28"
        node_pools:
          system:
            count: 1
            instance_type: "t3.medium"
          validators:
            count: 1
            instance_type: "t3.medium"
          rpc:
            count: 1
            instance_type: "t3.medium"
      
      networking:
        vpc_cidr: "10.2.0.0/16"
        subnets:
          - name: eks
            cidr: "10.2.1.0/24"
            availability_zone: "us-west-2a"
          - name: validators
            cidr: "10.2.2.0/24"
            availability_zone: "us-west-2b"
          - name: rpc
            cidr: "10.2.4.0/24"
            availability_zone: "us-west-2a"
      
      storage:
        type: "gp3"
        volume_size_gb: 256
    
    aws:
      account_id: "${AWS_ACCOUNT_ID}"
      region: "us-west-2"
      vpc_id: ""  # Will be created by Terraform
    
    secrets:
      provider: aws-secrets-manager
      region: "us-west-2"
    
    identity:
      provider: aws-iam
      enable_irsa: true  # IAM Roles for Service Accounts
    
    # Azure Arc integration (for hybrid management from Azure)
    azure_arc:
      enabled: true
      cluster_name: "workload-aws-usw2"
      resource_group: "rg-arc-aws-usw2"

  - name: workload-aws-euw1
    role: workload
    provider: aws
    type: cloud
    region: eu-west-1
    location: "Europe (Ireland)"
    enabled: true
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: eks
        version: "1.28"
        node_pools:
          system:
            count: 1
            instance_type: "t3.medium"
          validators:
            count: 1
            instance_type: "t3.medium"
          rpc:
            count: 1
            instance_type: "t3.medium"
    
    aws:
      account_id: "${AWS_ACCOUNT_ID}"
      region: "eu-west-1"
    
    secrets:
      provider: aws-secrets-manager
    
    identity:
      provider: aws-iam
      enable_irsa: true
    
    azure_arc:
      enabled: true
      cluster_name: "workload-aws-euw1"

  # ============================================
  # WORKLOAD REGIONS - GOOGLE CLOUD
  # ============================================
  - name: workload-gcp-ew1
    role: workload
    provider: gcp
    type: cloud
    region: europe-west1
    location: "Belgium"
    enabled: true
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: gke
        version: "1.28"
        node_pools:
          system:
            count: 1
            machine_type: "e2-medium"
          validators:
            count: 1
            machine_type: "e2-medium"
          rpc:
            count: 1
            machine_type: "e2-medium"
      
      networking:
        vpc_cidr: "10.3.0.0/16"
        subnets:
          - name: gke
            cidr: "10.3.1.0/24"
            region: "europe-west1"
    
    gcp:
      project_id: "${GCP_PROJECT_ID}"
      region: "europe-west1"
      zone: "europe-west1-b"
    
    secrets:
      provider: gcp-secret-manager
    
    identity:
      provider: gcp-iam
      workload_identity: true
    
    azure_arc:
      enabled: true
      cluster_name: "workload-gcp-ew1"

  # ============================================
  # WORKLOAD REGIONS - IBM CLOUD
  # ============================================
  - name: workload-ibm-us-south
    role: workload
    provider: ibm
    type: cloud
    region: us-south
    location: "Dallas, USA"
    enabled: false  # Disabled by default, enable when needed
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: iks
        version: "1.28"
        node_pools:
          system:
            count: 1
            flavor: "b3c.4x16"
          validators:
            count: 1
            flavor: "b3c.4x16"
          rpc:
            count: 1
            flavor: "b3c.4x16"
    
    ibm:
      resource_group: "default"
      region: "us-south"
    
    secrets:
      provider: ibm-secrets-manager
    
    identity:
      provider: ibm-iam
    
    azure_arc:
      enabled: true
      cluster_name: "workload-ibm-us-south"

  # ============================================
  # WORKLOAD REGIONS - ORACLE CLOUD
  # ============================================
  - name: workload-oci-us-ashburn
    role: workload
    provider: oci
    type: cloud
    region: us-ashburn-1
    location: "Ashburn, USA"
    enabled: false  # Disabled by default
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: oke
        version: "v1.28.2"
        node_pools:
          system:
            count: 1
            shape: "VM.Standard.E4.Flex"
            ocpus: 2
            memory_gb: 16
          validators:
            count: 1
            shape: "VM.Standard.E4.Flex"
            ocpus: 2
            memory_gb: 16
          rpc:
            count: 1
            shape: "VM.Standard.E4.Flex"
            ocpus: 2
            memory_gb: 16
    
    oci:
      tenancy_ocid: "${OCI_TENANCY_OCID}"
      compartment_id: "${OCI_COMPARTMENT_ID}"
      region: "us-ashburn-1"
    
    secrets:
      provider: oci-vault
    
    identity:
      provider: oci-iam
    
    azure_arc:
      enabled: true
      cluster_name: "workload-oci-us-ashburn"

  # ============================================
  # ON-PREM HCI CLUSTERS
  # ============================================
  - name: workload-hci-dc1
    role: workload
    provider: onprem
    type: hci
    region: datacenter-1
    location: "On-Premises Datacenter 1"
    enabled: true
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: k8s
        version: "1.28"
        # HCI-specific configuration
        hci:
          platform: azure-stack-hci
          cluster_name: "hci-cluster-dc1"
          node_pools:
            system:
              count: 1
              vm_size: "Standard_D4s_v3"
            validators:
              count: 1
              vm_size: "Standard_D4s_v3"
            rpc:
              count: 1
              vm_size: "Standard_D4s_v3"
      
      networking:
        vlan_id: 100
        subnet_cidr: "192.168.1.0/24"
        gateway: "192.168.1.1"
    
    onprem:
      datacenter: "dc1"
      hci_platform: "azure-stack-hci"
      vcenter: "vcenter.dc1.example.com"  # If using vSphere
    
    # Azure Stack HCI integration
    azure_stack_hci:
      enabled: true
      resource_group: "rg-hci-dc1"
      arc_enabled: true
      cluster_name: "hci-cluster-dc1"
    
    secrets:
      provider: vault  # HashiCorp Vault for on-prem
      vault_address: "https://vault.dc1.example.com"
    
    identity:
      provider: active-directory
      domain: "dc1.example.com"

  - name: workload-hci-edge1
    role: workload
    provider: onprem
    type: hci
    region: edge-site-1
    location: "Edge Site 1"
    enabled: false  # Disabled by default
    
    components:
      - validators
      - rpc
    
    infrastructure:
      kubernetes:
        provider: k8s
        version: "1.28"
        hci:
          platform: vsphere
          cluster_name: "hci-cluster-edge1"
          node_pools:
            system:
              count: 1
              vm_size: "Standard_D2s_v3"
            validators:
              count: 1
              vm_size: "Standard_D2s_v3"
            rpc:
              count: 1
              vm_size: "Standard_D2s_v3"
    
    onprem:
      datacenter: "edge1"
      hci_platform: "vsphere"
      vcenter: "vcenter.edge1.example.com"
    
    azure_arc:
      enabled: true
      cluster_name: "hci-cluster-edge1"
    
    secrets:
      provider: vault
      vault_address: "https://vault.edge1.example.com"
    
    identity:
      provider: active-directory
      domain: "edge1.example.com"

# ============================================
# GLOBAL CONFIGURATION
# ============================================
global:
  # Deployment strategy
  deployment_strategy: "blue-green"  # blue-green, canary, rolling
  
  # Cross-cloud connectivity
  connectivity:
    type: "public"  # public, vpn, private-link, expressroute
    # For private connectivity
    vpn:
      enabled: false
      provider: "azure-vpn"  # azure-vpn, aws-vpn, gcp-vpn
    expressroute:
      enabled: false
      provider: "azure"
    direct_connect:
      enabled: false
      provider: "aws"
  
  # Service mesh for cross-cloud communication
  service_mesh:
    enabled: true
    provider: "istio"  # istio, linkerd, kuma
    mTLS: true
  
  # Centralized secrets management
  secrets:
    primary_provider: "vault"  # vault, azure-keyvault, aws-secrets-manager
    vault:
      address: "https://vault.global.example.com"
      namespace: "besu-network"
  
  # Centralized identity
  identity:
    provider: "azure-ad"  # azure-ad, okta, keycloak
    federated_identity: true
    sso_enabled: true
  
  # Observability
  observability:
    logging:
      provider: "loki"  # loki, elasticsearch, cloudwatch, azure-monitor
      central_endpoint: "https://loki.global.example.com"
    metrics:
      provider: "prometheus"  # prometheus, datadog, new-relic
      central_endpoint: "https://prometheus.global.example.com"
    tracing:
      provider: "jaeger"  # jaeger, zipkin, tempo
      central_endpoint: "https://jaeger.global.example.com"
  
  # Cost optimization
  cost_optimization:
    enable_spot_instances: false
    enable_autoscaling: true
    budget_alerts: true
  
  # Security
  security:
    zero_trust_networking: true
    policy_as_code: true
    enable_network_policies: true
    enable_pod_security_policies: true