⚠️ This document is for the Alpha version of Nubus for Kubernetes. Feedback is welcome. ⚠️

Nubus for Kubernetes - Architecture Manual 0.5.5 (Alpha)

Deployment view

2.5. Deployment view#

This section provides a deployment views for the functional components of Nubus for Kubernetes.

You need to know the concept of pods and jobs in Kubernetes and what a Helm Chart is. Pods are the smallest deployable units of computing that you can create and manage. A job creates one or more pods and continues to retry running the pods until a specified number of them successfully ends.

The deployment view of Nubus consists of several figures, because one single figure would contain too many elements and would be hard to read. Each component has its own deployment view. Their common concept is the application component Univention Nubus for Kubernetes.

The views follow the same pattern. A Helm Chart locates in a container registry and references Docker images in a container registry. Helm Chart and Docker image realize a pod or a job in the Kubernetes cluster. A pod or a job realizes an application component in Nubus. The realization relationship represents that an element plays a critical role in the creation, or operation of a more abstract element. An application component belongs to a functional component that’s part of Nubus for Kubernetes.

See also

Pods | Kubernetes

for more information about pods, what they are and how to work with them.

Jobs | Kubernetes

for more information about jobs and their role in workload management.

Helm | Charts

for more information about Helm Charts.

Information about used notation

This section uses concepts from the ArchiMate enterprise architecture modeling notation across the application and technology layers.

From the application layer it uses the following concepts:

  • Application Component

  • Application Interface

  • Application Process

  • Application Function

  • Data Object

From the technology layer it uses the following concepts:

  • System Software

  • Artifact

  • Node

From the relationships it uses the following concepts:

  • Composition

  • Aggregation

  • Realization

  • Assignment

  • Flow

  • Serving

For more information on these ArchiMate concepts, refer to the following sections in Univention Corporate Server Architecture [2]:

2.5.1. Registries for Helm Charts and images#

Fig. 2.25 shows the container registries that provide Helm Charts and images for Nubus.

Most Helm Charts come from artifacts.software-univention.de and docker.io. Most images come from artifacts.software-univention.de and docker.software-univention.de, both operated by Univention. Some artifacts come from docker.io and registry.opencode.de.

The deployment views show which registry provides the respective Helm Charts and images.

When you install Nubus for Kubernetes, Helm loads the Charts and the images from these registry locations.

ArchiMate view of the container registries that Nubus uses

Fig. 2.25 ArchiMate view of the container registries that Nubus uses#

See also

Installation in Univention Nubus for Kubernetes - Operation Manual [1]

for more information about requirements and how to install Nubus for Kubernetes.

2.5.2. Authorization Service#

Fig. 2.26 shows the deployment view for the Authorization Service. For a description of the Guardian, refer to Authorization Service

Helm Charts

  • guardian from artifacts.software-univention.de

Images

From the registry docker.software-univention.de:

  1. guardian-authorization-api-authorization-api

  2. guardian-management-api-management-api

  3. guardian-management-ui-management-ui

  4. guardian-authorization-api-opa

From the registry registry.opencode.de:

  1. opendesk-keycloak-bootstrap

Jobs:

guardian-provisioning

Pods

  1. guardian-authorization-api

  2. guardian-management-api

  3. guardian-management-ui

  4. guardian-open-policy-agent

The pods realize the respective application components that ultimately make up the Authorization Service functional component.

ArchiMate view for deployment of functional component Authorization Service

Fig. 2.26 ArchiMate view for deployment of functional component Authorization Service#

To enlarge the figure, follow the tips in How to use the document.

2.5.3. Directory Manager#

Fig. 2.27 shows the deployment view for the Directory Manager. For a description of the Directory Manager, refer to Directory Manager.

Helm Charts

From artifacts.software-univention.de: udm-rest-api

Images

From artifacts.software-univention.de: udm-rest-api

Pods

udm-rest-api

The pod realizes the UDM HTTP REST API application component that makes up the Directory Manager functional component.

ArchiMate view for deployment of functional component Directory Manager

Fig. 2.27 ArchiMate view for deployment of functional component Directory Manager#

To enlarge the figure, follow the tips in How to use the document.

2.5.4. End User Self Service#

Fig. 2.28 shows the deployment view of the End User Self Service. For a description of the End User Self Service, refer to End User Self Service.

Helm Charts

From artifacts.software-univention.de: self-service-listener

Images

From artifacts.software-univention.de: self-service-invitation

Pods

self-service-listener

The pod realizes the Self Service Listener application component from the End User Self Service functional component.

ArchiMate view for deployment of functional component Self Service

Fig. 2.28 ArchiMate view for deployment of functional component Self Service#

2.5.5. Identity Provider#

Fig. 2.29 shows the deployment view of the Identity Provider. For a description of the Identity Provider, refer to Identity Provider.

Helm Charts

From artifacts.software-univention.de:

  1. keycloak

  2. keycloak-bootstrap

  3. keycloak-extensions

Images

From artifacts.software-univention.de:

  1. keycloak-bootstrap

  2. keycloak-handler

  3. keycloak-proxy

From docker.software-univention.de:

  1. keycloak-keycloak

Jobs

keycloak-bootstrap

Pods

  1. keycloak

  2. keycloak-handler

  3. keycloak-proxy

The pods realize the respective application components that ultimately make up the Identity Provider functional component. The Handler and the Proxy aggregate to the Keycloak Extensions application component.

ArchiMate view for deployment of functional component Identity Provider

Fig. 2.29 ArchiMate view for deployment of functional component Identity Provider#

To enlarge the figure, follow the tips in How to use the document.

2.5.6. Identity Store and Directory Service#

Fig. 2.30 shows the deployment view of the Identity Store and Directory Service. For a description of the Identity Store and Directory Service, refer to Identity Store and Directory Service.

Helm Charts

From artifacts.software-univention.de:

  1. ldap-notifier

  2. ldap-server

Images

From artifacts.software-univention.de:

  1. ldap-notifier

  2. ldap-server

Pods

  1. ldap-notifier

  2. ldap-server-primary

  3. ldap-server-secondary

  4. ldap-server-proxy

The pods realize the respective application components that ultimately make up the Identity Store and Directory Service functional component. Nubus for Kubernetes launches multiple pods for each LDAP Primary, each LDAP Secondary, and each LDAP Proxy.

ArchiMate view for deployment of functional component Identity Store and Directory Service

Fig. 2.30 ArchiMate view for deployment of functional component Identity Store and Directory Service#

To enlarge the figure, follow the tips in How to use the document.

Fig. 2.31 shows jobs that load data through the UDM HTTP REST API to the LDAP Server.

Helm Charts

From artifacts.software-univention.de:

  1. stack-data-ums

  2. stack-data-swp

Images

From artifacts.software-univention.de: data-loader

Jobs

  1. stack-data-ums

  2. stack-data-swp

ArchiMate view for deployment of Stack Data

Fig. 2.31 ArchiMate view for deployment of Stack Data to fill the Directory Service with initial data#

To enlarge the figure, follow the tips in How to use the document.

2.5.7. Management UI#

Fig. 2.32 shows the deployment view of the Management UI. For a description of the Management UI, refer to Management UI.

Helm Charts

From artifacts.software-univention.de:

  1. umc-gateway

  2. umc-server

Images

From artifacts.software-univention.de:

  1. umc-gateway

  2. umc-server

From docker.io:

  1. memcached

Pods

  1. umc-gateway

  2. umc-server

  3. umc-server-memcached

The pods realize the respective application components that ultimately make up the Management UI functional component.

ArchiMate view for deployment of functional component Management UI

Fig. 2.32 ArchiMate view for deployment of functional component Management UI#

To enlarge the figure, follow the tips in How to use the document.

2.5.8. Portal Service#

Fig. 2.33 shows the deployment view of the Portal Service. For a description of the Portal Service, refer to Portal Service.

Helm Charts

From artifacts.software-univention.de:

  1. notifications-api

  2. portal-server

  3. portal-frontend

  4. portal-listener

Images

From artifacts.software-univention.de:

  1. notifications-api

  2. portal-server

  3. portal-frontend

  4. portal-listener

Pods

  1. notifications-api

  2. portal-server

  3. portal-listener

The pods realize the respective application components that ultimately make up the Portal Service functional component.

ArchiMate view for deployment of functional component Portal

Fig. 2.33 ArchiMate view for deployment of functional component Portal#

To enlarge the figure, follow the tips in How to use the document.

2.5.9. Provisioning Service#

Fig. 2.34 shows the deployment view of the Provisioning Service. For a description of the Provisioning Service, refer to Provisioning Service.

Helm Charts

From artifacts.software-univention.de:

  1. udm-listener

  2. provisioning

Images

From artifacts.software-univention.de:

  1. provisioning-events-and-consumer-api

  2. provisioning-dispatcher

  3. provisioning-udm-listener

  4. provisioning-prefill

  5. wait-for-dependency

  6. provisioning-udm-transformer

From docker.io:

  1. nats

  2. nats-server-config-reloader

  3. nats-box

Jobs

provisioning-register-consumers

Pods

  1. provisioning-api

  2. provisioning-dispatcher

  3. provisioning-listener

  4. provisioning-prefill

  5. provisioning-udm-transformer

  6. provisioning-nats

The pods realize the respective application components that ultimately up the Povisioning Service functional component.

ArchiMate view for deployment of functional component Provisioning

Fig. 2.34 ArchiMate view for deployment of functional component Provisioning#

To enlarge the figure, follow the tips in How to use the document.

2.5.10. Stack Gateway#

The Stack Gateway is a reverse proxy that handles the HTTP traffic with proxy behavior and URL rewriting. Fig. 2.35 shows the deployment view of the Stack Gateway.

Helm Charts

From docker.io: nginx

Images

From docker.io: nginx

Pods

stack-gateway

The pod realizes the Stack Gateway application component.

ArchiMate view for deployment of the Stack Gateway

Fig. 2.35 ArchiMate view for deployment of the Stack Gateway#

Fig. 2.36 shows the application components to which the proxy functionality redirects the respective traffic. The ArchiMate view uses the Serving relationship, which is one of the dependency relationships. This means that the interfaces for the application components provide their accessibility to the proxy through HTTP. The Stack Gateway provides proxy functionality and URL rewriting for the following functional components:

  • Portal Service

  • End User Self Service

  • Directory Manager

  • Management UI

  • Authorization Service

  • S3-compatible Object Storage

ArchiMate view of functional component Stack Gateway and where it proxies traffic

Fig. 2.36 ArchiMate view of the Stack Gateway and where it proxies traffic#

To enlarge the figure, follow the tips in How to use the document.

2.5.11. SQL database: PostgreSQL#

Important

This section is only for your information and applies for Nubus for Kubernetes environments that use the PostgreSQL deployment provided by the Nubus Helm Chart as described in Deploy requirements based on examples included in Nubus in Univention Nubus for Kubernetes - Operation Manual [1].

This setup is only for testing purposes.

For a production deployment and more information, see Use requirements provided by Kubernetes cluster in Univention Nubus for Kubernetes - Operation Manual [1].

Fig. 2.37 shows the deployment view for SQL Database: PostgreSQL.

Helm Charts

From docker.io: postgresql

Images

From docker.io: postgresql

Pods

postgresql

The pod runs a PostgreSQL database management system. For each application that uses PostgreSQL, the deployment setup creates corresponding databases with corresponding database users and credentials. The figure shows, which application component uses which database, and that the application components access the database management system through the TCP to SQL database interface.

The figure primarily uses structural relationships to show the structure and what goes where. The Serving dependency relationship shows the direct dependencies between the application components and the databases. Table 2.1 shows the direct mappings between databases and application components.

ArchiMate view of PostgreSQL deployment through Nubus for Kubernetes

Fig. 2.37 ArchiMate view of PostgreSQL deployment through Nubus for Kubernetes#

To enlarge the figure, follow the tips in How to use the document.

Table 2.1 Application components using PostgreSQL databases#

Database

Application component

Functional component

PostgreSQL DB: Notifications API

Notifications API

Portal Service

PostgreSQL DB: UMC Server

UMC Server

Management UI

PostgreSQL DB: Keycloak

Keycloak

Identity Provider

PostgreSQL DB: Keycloak Extensions

Keycloak Extensions

Identity Provider

PostgreSQL DB: Guardian Management REST API

Guardian Management REST API

Authorization Service
On this page