From ef259dcbb2f3b91908fb452f755e84fdec59f483 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sun, 22 Mar 2026 17:32:33 -0400 Subject: [PATCH] policy updates --- POLICIES.md | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/POLICIES.md b/POLICIES.md index a1b2e86..9e32481 100644 --- a/POLICIES.md +++ b/POLICIES.md @@ -21,16 +21,21 @@ All releases use **SemVer** (semantic versioning). ArtifactHub requires SemVer f The following services are available in the cluster. Use them via their operators — do not install standalone instances. -| Layer | Technology | Policy | -|-------|-----------|--------| -| **Database** | CNPG (CloudNativePG) | All PostgreSQL via CNPG `Cluster` CRDs. No manual Postgres installs, no SQLite in production. | -| **Cache / Pub-sub** | DragonflyDB Operator | Redis-compatible via `Dragonfly` CRDs. No standalone Redis. | -| **MQTT** | EMQX Operator | MQTT broker via `EMQX` CRDs. For IoT and messaging workloads. | -| **Block storage** | TrueNAS CSI | All PVCs backed by TrueNAS SCALE. | -| **File / Object storage** | Rook-Ceph | CephFS for shared filesystems, RGW for S3-compatible object storage. | -| **Auth** | Authentik | OIDC/SSO for all web apps. No custom auth systems. | -| **Monitoring** | Prometheus Stack | Create ServiceMonitors and PrometheusRules for all services. AlertManager for alerting. | -| **MariaDB** | MariaDB Operator | Available via `MariaDB` CRDs if needed. Not currently used by Paperclip orgs. | +| Layer | Technology | Access | Policy | +|-------|-----------|--------|--------| +| **Block storage** | TrueNAS CSI | storageClass: block-truenas | All PVCs backed by TrueNAS SCALE. | +| **File storage** | Rook-Ceph | storageClass: ceph-filesystem | CephFS for shared filesystems. | +| **External Object storage** | Rook-Ceph | CephObjectStore/objectstore-ceph-external | RGW for S3-compatible object storage. | +| **Internal Object storage** | Rook-Ceph | CephObjectStore/objectstore-ceph-internal | RGW for S3-compatible object storage. | +| **Database Primary** | CloudNativePG Operator | postgresql.cnpg.io/Cluster | All PostgreSQL via CloudNativePG (CNPG) CRDs. No manual Postgres installs. 3 Replicas & 30 Days of Backup in Production, 1 Replica in Dev/Test/QA 5 Days of Backup. | +| **Database Alternate** | MariaDB Operator | k8s.mariadb.com/MaxScale | All MariaDB via MariaDB Operator CRDs. No manual MariaDB installs. No MySQL. 3 Replicas & 30 Days of Backup in Production, 1 Replica in Dev/Test/QA 5 Days of Backup. | +| **Cache / Pub-sub** | DragonflyDB Operator | dragonflydb.io/Dragonfly | Redis-compatible via Dragonfly Operator CRDs. No manual DragonflyDB installs. No Redis. No Persistent or Durable Data, No Exceptions. 3 Replicas in Production, 1 Replica in Dev/Test/QA | +| **MQTT** | EMQX Operator | apps.emqx.io/EMQX | MQTT broker via `EMQX` CRDs. For IoT and messaging workloads. 3 Replicas in Production, 1 Replica in Dev/Test/QA | +| **Authenticated External Services** | Istio Gateway + Authentik | gateway-system/istio-external | OIDC/SSO for all web apps. No custom auth systems. | +| **Authenticated Internal Services** | Istio Gateway + Authentik | gateway-system/istio-internal | OIDC/SSO for all web apps. No custom auth systems. | +| **Unauthenticated External Services** | Cilum Gateway | gateway-system/external | High performance unauthenticated web apps. | +| **Unauthenticated Internal Services** | Cilum Gateway | gateway-system/internal | High performance unauthenticated web apps. | +| **Monitoring** | Prometheus Stack | | Create ServiceMonitors and PrometheusRules for all services. AlertManager for alerting. | ## Infrastructure Deployment