feat(billing): implement tenant subscription entitlements system (milestones 0-6)

2026-03-30 18:41:23 +03:00
parent 5992044b7e
commit 2595e7f1c5
63 changed files with 8448 additions and 321 deletions
--- a/swarm/stacks/control-plane-prod.yml
+++ b/swarm/stacks/control-plane-prod.yml
@@ -0,0 +1,79 @@
+version: "3.9"
+
+services:
+  control-api:
+    image: ${IMAGE_PREFIX:-cloudlysis}/control-api:${IMAGE_TAG:-dev}
+    environment:
+      CONTROL_API_ADDR: "0.0.0.0:8080"
+      CONTROL_PLACEMENT_PATH: "/etc/control/placement.json"
+      CONTROL_SWARM_STATE_PATH: "/etc/control/swarm_state.json"
+      CONTROL_SELF_URL: "${CONTROL_SELF_URL:-http://control-api:8080}"
+
+      # S3 document storage (Hetzner Object Storage in production).
+      CONTROL_S3_ENDPOINT: "${CONTROL_S3_ENDPOINT:?missing}"
+      CONTROL_S3_PUBLIC_ENDPOINT: "${CONTROL_S3_PUBLIC_ENDPOINT:-}"
+      CONTROL_S3_REGION: "${CONTROL_S3_REGION:?missing}"
+      CONTROL_S3_ACCESS_KEY_ID_FILE: "/run/secrets/control_s3_access_key_id"
+      CONTROL_S3_SECRET_ACCESS_KEY_FILE: "/run/secrets/control_s3_secret_access_key"
+      CONTROL_S3_FORCE_PATH_STYLE: "${CONTROL_S3_FORCE_PATH_STYLE:-false}"
+      CONTROL_S3_INSECURE: "${CONTROL_S3_INSECURE:-false}"
+      CONTROL_S3_BUCKET_DOCS: "${CONTROL_S3_BUCKET_DOCS:?missing}"
+      CONTROL_S3_PREFIX_DOCS: "${CONTROL_S3_PREFIX_DOCS:-docs/}"
+    secrets:
+      - control_s3_access_key_id
+      - control_s3_secret_access_key
+    configs:
+      - source: control_placement
+        target: /etc/control/placement.json
+      - source: control_swarm_state
+        target: /etc/control/swarm_state.json
+    networks:
+      - internal
+    ports:
+      - target: 8080
+        published: 8080
+        protocol: tcp
+        mode: ingress
+    deploy:
+      replicas: 2
+      restart_policy:
+        condition: on-failure
+      update_config:
+        parallelism: 1
+        order: start-first
+        failure_action: rollback
+
+  control-ui:
+    image: ${IMAGE_PREFIX:-cloudlysis}/control-ui:${IMAGE_TAG:-dev}
+    environment:
+      VITE_CONTROL_API_URL: "${VITE_CONTROL_API_URL:-http://control-api:8080}"
+    networks:
+      - public
+      - internal
+    ports:
+      - target: 80
+        published: 8081
+        protocol: tcp
+        mode: ingress
+    deploy:
+      replicas: 2
+      restart_policy:
+        condition: on-failure
+
+configs:
+  control_placement:
+    file: ../../config/placement/dev.json
+  control_swarm_state:
+    file: ../../swarm/dev.json
+
+secrets:
+  control_s3_access_key_id:
+    external: true
+  control_s3_secret_access_key:
+    external: true
+
+networks:
+  public:
+    driver: overlay
+  internal:
+    driver: overlay
--- a/swarm/stacks/control-plane.yml
+++ b/swarm/stacks/control-plane.yml
@@ -1,6 +1,37 @@
 version: "3.9"

 services:
+  minio:
+    image: minio/minio:RELEASE.2025-02-28T09-55-16Z
+    command: ["server", "/data", "--console-address", ":9001"]
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    volumes:
+      - minio_data:/data
+    networks:
+      - internal
+    deploy:
+      replicas: 1
+
+  minio-init:
+    image: minio/mc:RELEASE.2025-02-21T16-00-46Z
+    networks:
+      - internal
+    command:
+      - /bin/sh
+      - -c
+      - |
+        set -euo pipefail
+        mc alias set local http://minio:9000 minioadmin minioadmin
+        mc mb -p local/cloudlysis-docs || true
+        mc anonymous set download local/cloudlysis-docs || true
+        echo "minio init done"
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: none
+
  control-api:
    image: ${IMAGE_PREFIX:-cloudlysis}/control-api:${IMAGE_TAG:-dev}
    environment:
@@ -8,6 +39,18 @@ services:
      CONTROL_PLACEMENT_PATH: "/etc/control/placement.json"
      CONTROL_SWARM_STATE_PATH: "/etc/control/swarm_state.json"
      CONTROL_SELF_URL: "http://control-api:8080"
+      CONTROL_S3_ENDPOINT: "${CONTROL_S3_ENDPOINT:-http://minio:9000}"
+      CONTROL_S3_PUBLIC_ENDPOINT: "${CONTROL_S3_PUBLIC_ENDPOINT:-}"
+      CONTROL_S3_REGION: "${CONTROL_S3_REGION:-us-east-1}"
+      CONTROL_S3_ACCESS_KEY_ID_FILE: "/run/secrets/control_s3_access_key_id"
+      CONTROL_S3_SECRET_ACCESS_KEY_FILE: "/run/secrets/control_s3_secret_access_key"
+      CONTROL_S3_FORCE_PATH_STYLE: "${CONTROL_S3_FORCE_PATH_STYLE:-true}"
+      CONTROL_S3_INSECURE: "${CONTROL_S3_INSECURE:-true}"
+      CONTROL_S3_BUCKET_DOCS: "${CONTROL_S3_BUCKET_DOCS:-cloudlysis-docs}"
+      CONTROL_S3_PREFIX_DOCS: "${CONTROL_S3_PREFIX_DOCS:-docs/}"
+    secrets:
+      - control_s3_access_key_id
+      - control_s3_secret_access_key
    configs:
      - source: control_placement_dev
        target: /etc/control/placement.json
@@ -44,12 +87,21 @@ services:

 configs:
  control_placement_dev:
-    file: ../../placement/dev.json
+    file: ../../config/placement/dev.json
  control_swarm_state_dev:
    file: ../../swarm/dev.json

+secrets:
+  control_s3_access_key_id:
+    external: true
+  control_s3_secret_access_key:
+    external: true
+
 networks:
  public:
    driver: overlay
  internal:
    driver: overlay
+
+volumes:
+  minio_data:
--- a/swarm/stacks/platform.yml
+++ b/swarm/stacks/platform.yml
@@ -89,6 +89,8 @@ services:
      RUNNER_STORAGE_PATH: /data/runner.mdbx
      RUNNER_SAGA_MANIFEST_PATH: /config/sagas.yaml
      RUNNER_EFFECTS_MANIFEST_PATH: /config/effects.yaml
+      # For production, point this at a real relay (SMTP/Resend/Postmark/SES) via effects config.
+      RUNNER_SMTP_URL: "${RUNNER_SMTP_URL:-}"
    volumes:
      - runner_saga_data:/data
    configs:
@@ -107,6 +109,7 @@ services:
      RUNNER_HTTP_ADDR: 0.0.0.0:8081
      RUNNER_STORAGE_PATH: /data/runner.mdbx
      RUNNER_EFFECTS_MANIFEST_PATH: /config/effects.yaml
+      RUNNER_SMTP_URL: "${RUNNER_SMTP_URL:-}"
    volumes:
      - runner_effect_data:/data
    configs: