https://github.com/inferadb/deploy

InferaDB deployment — GitOps for multi-region, multi-cloud Kubernetes
https://github.com/inferadb/deploy

access-control authorization deployment devops docker fine-grained-access-control helm inferadb infrastructure-as-code kubernetes permissions rebac terraform zanzibar

Last synced: 3 months ago
JSON representation

InferaDB deployment — GitOps for multi-region, multi-cloud Kubernetes

• Host: GitHub
• URL: https://github.com/inferadb/deploy
• Owner: inferadb
• License: apache-2.0
• Created: 2025-12-14T03:21:48.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2026-01-19T22:18:04.000Z (3 months ago)
• Last Synced: 2026-01-20T05:30:48.912Z (3 months ago)
• Topics: access-control, authorization, deployment, devops, docker, fine-grained-access-control, helm, inferadb, infrastructure-as-code, kubernetes, permissions, rebac, terraform, zanzibar
• Language: HCL
• Homepage: https://inferadb.com
• Size: 287 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE-APACHE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: .github/CODEOWNERS
  • Security: SECURITY.md

Awesome Lists containing this project

README

          


    


    
InferaDB Deployment

    


        

        

    

    
GitOps deployment for multi-region, multi-cloud Kubernetes



> [!IMPORTANT]

> Under active development. Not production-ready.

## Architecture Overview

- **OS**: Talos Linux (immutable, API-driven)

- **Orchestration**: Kubernetes

- **GitOps**: Flux CD

- **IaC**: Terraform + OpenTofu

- **CNI**: Cilium (with WireGuard encryption)

- **Networking**: Tailscale mesh

- **Secret Management**: External Secrets Operator + SOPS

## Directory Structure

```text

deploy/

├── terraform/          # Infrastructure provisioning

│   ├── modules/        # Reusable Terraform modules

│   ├── environments/   # Environment-specific configs (dev, staging, production)

│   └── regions/        # Regional cluster definitions

├── flux/               # GitOps configurations

│   ├── clusters/       # Cluster-specific Flux configs

│   ├── infrastructure/ # Cluster infrastructure (CNI, operators, etc.)

│   └── apps/           # Application deployments

├── talos/              # Talos Linux configurations

├── policies/           # Kyverno and network policies

├── scripts/            # Deployment automation scripts

├── runbooks/           # Operational runbooks

├── alerts/             # Prometheus alerting rules

├── slos/               # Service Level Objectives

└── docs/               # Documentation and ADRs

```

## Quick Start

### Local Development

Use the [InferaDB CLI](https://github.com/inferadb/cli) for local development:

```bash

# Create local cluster and deploy InferaDB stack

inferadb dev start

# Show cluster status

inferadb dev status

# Tear down cluster

inferadb dev stop --destroy

```

The dev environment deploys:

- **Ledger**: Single-node blockchain storage

- **Engine**: Authorization policy engine

- **Control**: Control plane API

- **Dashboard**: Web console

Access services:

```bash

kubectl port-forward -n inferadb svc/inferadb-engine 8080:8080

kubectl port-forward -n inferadb svc/inferadb-control 9090:9090

kubectl port-forward -n inferadb svc/inferadb-dashboard 3000:3000

```

### Staging/Production Deployment

```bash

# Bootstrap a cluster

./scripts/bootstrap-cluster.sh   

# Example: staging NYC1 on AWS

./scripts/bootstrap-cluster.sh staging nyc1 aws

```

## Environments

| Environment | Regions              | Purpose                    |

| ----------- | -------------------- | -------------------------- |

| Development | Local (Docker)       | Development and testing    |

| Staging     | NYC1 + monthly drills| Pre-production validation  |

| Production  | NYC1, SFO1           | Live workloads             |

## Key Components

### Terraform Modules

- `talos-cluster`: Abstract Talos K8s cluster provisioning

- `provider-aws`: AWS-specific resources (VPC, EC2, etc.)

- `provider-gcp`: GCP-specific resources

- `provider-digitalocean`: DigitalOcean-specific resources

- `ledger-cluster`: Ledger StatefulSet deployment

- `dns`: Multi-provider DNS management

### Flux Kustomizations

- `infrastructure/base`: Shared controllers and operators

- `apps/base`: Application deployments (engine, control, dashboard)

## Security

- Pod Security Standards (namespace-level)

- Cilium NetworkPolicies (default deny)

- Image signing via Kyverno

- WireGuard pod-to-pod encryption

- Trivy vulnerability scanning

## Documentation

- [Getting Started](docs/getting-started.md)

- [Adding Regions](docs/adding-regions.md)

- [Disaster Recovery](docs/disaster-recovery.md)

- [Security Model](docs/security-model.md)

- [Cost Estimation](docs/cost-estimation.md)

## Runbooks

- [Ledger Cluster Recovery](runbooks/ledger-cluster-recovery.md)

- [Node Replacement](runbooks/node-replacement.md)

- [Full Region Failover](runbooks/full-region-failover.md)

- [Break-Glass Procedures](runbooks/break-glass-procedures.md)

## Development Setup

Enable git hooks:

```bash

git config core.hooksPath .githooks

```

Required tools (via `.mise.toml` or manual install):

- `terraform` - formatting

- `yamllint` - YAML linting (`pip install yamllint`)

- `shellcheck` - shell linting

## Contributing

All changes require PR review. CI runs on push/PR:

- **Terraform**: Format and validate checks

- **Kubernetes**: YAML lint and Kustomize build validation

- **Security**: Trivy, Checkov, and KICS scans

## Community

Join us on [Discord](https://discord.gg/inferadb) for questions, discussions, and contributions.

## License

Dual-licensed under [MIT](LICENSE-MIT) or [Apache 2.0](LICENSE-APACHE).