Infrastructure Architecture Overview
This document describes the architecture of the cloud infrastructure powering the Ulmexa platform, based on OpenStack and various supporting services.
🔧 Core Components
The infrastructure is built using the following main components:
1. OpenStack Services
| Service | Description |
|---|---|
| Keystone | Identity service for authentication and authorization across all OpenStack services |
| Glance | Image service to store and retrieve virtual machine images |
| Nova | Compute service to manage VM lifecycle (provisioning, scheduling, execution) |
| Neutron | Networking service to manage virtual networks, subnets, routers, floating IPs |
| Cinder | Block storage service (if enabled) for persistent volumes |
| Horizon | Optional web dashboard for admin and user access |
2. Supporting Infrastructure
| Component | Description |
|---|---|
| MySQL/MariaDB | Relational database backend for all OpenStack services |
| RabbitMQ | Message queue used for communication between services |
| Memcached | Caching layer used by Keystone tokens and other components |
| Nginx/HAProxy | Reverse proxy or load balancer (if used for high availability) |
| Prometheus + Grafana | Monitoring stack to track metrics and system health |
| Mailcow | Email infrastructure for communication, alerts, and DMaaS |
| Keycloak | IAM system used for centralized user authentication and federation |
🖥️ Node Roles
| Node Type | Role |
|---|---|
| Controller Node | Hosts API services, scheduler, database, and identity service |
| Compute Node(s) | Hosts virtual machine workloads |
| Storage Node(s) (optional) | Hosts persistent volumes via Cinder or Ceph |
| Monitoring Node | Hosts Prometheus, Grafana, and Alertmanager (optional) |
| Mail Node | Hosts Mailcow email server stack |
✅ Nodes may be virtual (VPS or VM) or physical depending on deployment.
🌐 Networking Architecture
Network Types
- Management Network: Used for internal communication between OpenStack components
- Provider Network: Bridges VMs to the external world (mapped to public bridge)
- Tenant Network: Isolated per-project networks managed via Neutron
Floating IPs
- Allocated from a public IP pool
- Used to provide external access to VMs via NAT
🔐 Identity & Access
- Keycloak is used as a centralized IAM provider
- Integrated with OpenStack Keystone using federation
- Users authenticate once via Keycloak to access OpenStack services
- Role-based access control (RBAC) is enforced using OpenStack roles
admin,member,reader, etc.