-
Notifications
You must be signed in to change notification settings - Fork 20
doc: add design proposal for multi-tenancy simplification #1196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
55abcc9
doc: add design proposal for multi-tenancy simplification
hyunsun 42095a8
Update design-proposals/platform-multi-tenancy-simplification.md
hyunsun fe98913
Update design-proposals/platform-multi-tenancy-simplification.md
hyunsun 67770ef
Update design-proposals/platform-multi-tenancy-simplification.md
hyunsun 06741c1
Update
hyunsun 6646d2f
Fix lint
hyunsun dc31a26
Update
hyunsun ae5564b
Merge branch 'main' into itep-82478
hyunsun 00db93c
More update
hyunsun eb1e39b
Priority update for tenant-manager NB implementation
hyunsun fa4b175
Merge branch 'main' into itep-82478
togashidm 175b670
Merge branch 'main' into itep-82478
krishnajs 7a56ebc
fix: lint issues addressed
togashidm File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+102 KB
design-proposals/images/multi-tenancy-external-service-integration-st.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+198 KB
design-proposals/images/multi-tenancy-external-service-integration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+208 KB
design-proposals/images/multi-tenancy-new-architecture-single-tenant.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
125 changes: 125 additions & 0 deletions
125
design-proposals/platform-multi-tenancy-simplification.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| # Design Proposal: Multi-tenancy Simplification | ||
|
|
||
| Author(s): Hyunsun Moon, Denisio Togashi | ||
|
|
||
| Last updated: 12/2/25 | ||
|
|
||
| ## Abstract | ||
|
|
||
| The existing EMF multi-tenancy architecture enforces a centralized multi-tenant API gateway, resulting in tight coupling | ||
| and unnecessary complexity for all deployments. This proposal aims to simplify the architecture by making multi-tenancy | ||
| components optional, enabling direct API exposure for services, and introducing a shared middleware library. These | ||
| changes allow for flexible deployment options—from full multi-tenant environments to lightweight, single-service | ||
| integrations—while preserving backward compatibility and supporting external service integrations. The focus is on | ||
| achieving architectural modularity and deployment flexibility, rather than optimizing for performance or resource usage. | ||
|
|
||
| ## User Stories | ||
|
|
||
| ### User Story 1: Configurable Multi-tenancy | ||
|
|
||
| As a platform administrator, I need the ability to enable or disable multi-tenancy features based on deployment | ||
| requirements, so that the system can be tailored to specific organizational needs. | ||
|
|
||
| ### User Story 2: Lightweight EIM Integration | ||
|
|
||
| As a third-party service developer, I want to integrate only the EIM sub-components without deploying the entire EMF | ||
| stack, so that I can add infrastructure management capabilities with minimal overhead. | ||
|
|
||
| ### User Story 3: Flexible External Service Integration | ||
|
|
||
| As a solution architect, I want to connect external services to EMF regardless of the tenancy mode, so that I can extend | ||
| EMF’s capabilities across diverse environments. | ||
|
|
||
| ### User Story 4: Seamless Backward Compatibility | ||
|
|
||
| As an existing EMF customer, I want to ensure that my current multi-tenant deployments remain fully compatible after | ||
| upgrades, so that my workflows continue without disruption. | ||
|
|
||
| ## Proposal | ||
|
|
||
| ### Overview | ||
|
|
||
| This proposal introduces a phased migration from the current monolithic multi-tenant architecture to a modular system | ||
| that supports both single-tenant and multi-tenant deployment modes. By decoupling multi-tenancy components and making | ||
| them optional, the architecture enables flexible service deployment and direct API exposure. The approach preserves all | ||
| existing multi-tenancy features where required, while allowing lightweight, simplified deployments when multi-tenancy is | ||
hyunsun marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| not needed. | ||
|
|
||
| ### Current Architecture Problems | ||
|
|
||
|  | ||
|
|
||
| The current EMF architecture exhibits several key issues: | ||
|
|
||
| - **Single Point of Failure** All external requests are funneled through a single Multi-tenant API Gateway, creating a | ||
| potential point of failure. | ||
| - **Mandatory Complexity:** Every deployment, regardless of actual requirements, must include the entire multi-tenancy | ||
| stack, increasing operational overhead. | ||
| - **Lack of Flexibility:** The architecture does not support selective component deployment or straightforward | ||
| integration with external services, restricting adaptability to diverse environments. | ||
|
|
||
| ### Proposed Solution (WIP) | ||
|
|
||
|  | ||
|
|
||
| The target architecture achieves a fully modular system with the following characteristics: | ||
|
|
||
| - The complex Multi-tenant API Gateway is repurposed as HTTP router for tenant-manager, serving only `/v1/projects` and `/v1/orgs` endpoints. | ||
| - All multi-tenancy components are optional (indicated by dashed borders). | ||
| - Services (AO, CO, EIM) expose external APIs directly, eliminating central coordination. | ||
| - External integrations are streamlined via direct service access. | ||
|
|
||
| Below are examples of external service integration scenarios enabled by the new architecture: | ||
|
|
||
|  | ||
|  | ||
|
|
||
| ### Core Architecture Changes | ||
|
|
||
| 1. **Distributed API Handling** | ||
| - Enable direct external API exposure, removing the need for complex central routing and API remapping. | ||
| - Each service (AO, CO, EIM) manages Multi-tenant API Gateway responsibilities including: | ||
| - Resolve active project ID | ||
| - Tenant-aware AuthX | ||
| - Provide `/openapi` and `/swagger` endpoints | ||
| - Consolidate common functionality into a shared `orch-lib` middleware library to minimize duplicate work and ensure consistent API behaviors across services. | ||
|
|
||
| 2. **Optional Multi-tenancy Components** | ||
| - Make the Tenancy Manager optional, allowing it to be disabled in single-tenant deployments. | ||
| - Service-specific Tenant Controllers and Keycloak Tenant Controller are also optional. | ||
| - Provide default tenant bootstrap for single-tenant scenarios to simplify setup. | ||
|
|
||
| ### Migration Strategy | ||
|
|
||
| #### Phase 0: Foundation | ||
|
|
||
| - Develop a shared middleware library (`orch-lib`) to centralize common multi-tenancy logic. | ||
| - Create Helm configuration templates to support both single-tenant and multi-tenant deployment modes. | ||
| - Implement standardized service initialization patterns for consistent startup across services. | ||
hyunsun marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - Build a comprehensive testing framework to validate modularity and backward compatibility. | ||
|
|
||
| #### Phase 1: EIM Modernization | ||
|
|
||
|  | ||
|
|
||
| - Decouple EIM from the legacy API gateway, enabling direct external API exposure. | ||
| - Remove EIM-specific API mapping from `nexus-api-gateway` configuration. | ||
| - Update CO to interact with EIM via its external APIs for inventory operations. | ||
| - Pilot the modular architecture with EIM to validate design and integration patterns. | ||
| - Support external service integrations with EIM in both single-tenant and multi-tenant modes. | ||
|
|
||
| **Benefits:** | ||
| - Minimizes migration risk by introducing changes incrementally. | ||
| - Provides early access to EIM integration for external services. | ||
| - Confirms the effectiveness of the modular approach before expanding to other components. | ||
| - Ensures AO and CO remain stable throughout the transition. | ||
|
|
||
| #### Phase 2: CO and AO Modernization | ||
|
|
||
| - Transform App Orchestration and Cluster Orchestration to the modular architecture. | ||
| - Achieve the full target architecture with all services decoupled. | ||
|
|
||
| #### Phase 3: Cleanup | ||
|
|
||
| - Remove legacy code paths and deprecated components. | ||
| - Finalize documentation for deployment and migration processes. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.