Enterprise Setup
1. Overview¶
ATTEST Enterprise provides advanced features for large organizations, including centralized management, enterprise-grade security, compliance frameworks, and scalable infrastructure support.
2. Architecture¶
Enterprise Components¶
┌─────────────────────────────────────────────────────────────┐
│ ATTEST Enterprise │
├─────────────────────────────────────────────────────────────┤
│ Management Console │ Policy Engine │ Audit Service │
│ User Management │ Compliance Hub │ Metrics Platform │
├─────────────────────────────────────────────────────────────┤
│ Distributed Cache Layer │
├─────────────────────────────────────────────────────────────┤
│ ATTEST Agents (Build Runners, Controllers, Workers) │
└─────────────────────────────────────────────────────────────┘
Deployment Models¶
On-Premises Deployment¶
# enterprise-config.yaml
deployment:
type: "on-premises"
architecture: "high-availability"
components:
management_console:
replicas: 3
load_balancer: "nginx"
cache:
backend: "redis-cluster"
nodes: 6
persistence: true
database:
type: "postgresql"
replicas: 3
backup_schedule: "0 2 * * *"
Hybrid Cloud Deployment¶
deployment:
type: "hybrid"
on_premises:
- management_console
- sensitive_workloads
cloud:
- cache_layer
- log_aggregation
- monitoring
Multi-Region Setup¶
regions:
primary:
region: "us-east-1"
components: ["all"]
secondary:
region: "eu-west-1"
components: ["cache", "runners"]
failover: true
disaster_recovery:
region: "ap-southeast-1"
components: ["backup_only"]
Installation¶
Prerequisites¶
# System requirements check
attest enterprise prereqs check
# - Kubernetes 1.25+: OK
# - PostgreSQL 13+: OK
# - Redis 6+: OK
# - Storage: 500GB+ available: OK
# - CPU: 16+ cores: OK
# - Memory: 64GB+: OK
# License validation
attest enterprise license validate \
--key-file enterprise.key \
--contact support@alien6.com
Kubernetes Installation¶
# Add ATTEST Enterprise Helm repository
helm repo add attest-enterprise https://charts.enterprise.attest.continuu.ms
helm repo update
# Install with enterprise configuration
helm install attest-enterprise attest-enterprise/attest \
--namespace attest-system \
--create-namespace \
--values enterprise-values.yaml
Enterprise Values Configuration¶
# enterprise-values.yaml
global:
enterprise:
enabled: true
license_key: "${ATTEST_ENTERPRISE_KEY}"
management:
replicas: 3
resources:
requests:
memory: "4Gi"
cpu: "2"
limits:
memory: "8Gi"
cpu: "4"
cache:
type: "redis-cluster"
redis:
cluster:
enabled: true
master:
count: 3
replica:
count: 3
database:
type: "postgresql"
postgresql:
replication:
enabled: true
slaveReplicas: 2
metrics:
enabled: true
monitoring:
prometheus:
enabled: true
retention: "30d"
grafana:
enabled: true
dashboards:
enterprise: true
security:
rbac:
enabled: true
networkPolicies:
enabled: true
podSecurityPolicy:
enabled: true
User Management¶
Identity Providers¶
LDAP/Active Directory Integration¶
# auth-config.yaml
auth:
providers:
- name: "company-ldap"
type: "ldap"
config:
server: "ldap.company.com:636"
base_dn: "DC=company,DC=com"
user_dn: "CN=Users,DC=company,DC=com"
group_dn: "CN=Groups,DC=company,DC=com"
bind_user: "CN=attest-service,CN=Users,DC=company,DC=com"
bind_password: "${LDAP_PASSWORD}"
user_id_attribute: "sAMAccountName"
group_membership_attribute: "memberOf"
tls:
enabled: true
skip_verify: false
SAML Integration¶
auth:
providers:
- name: "company-saml"
type: "saml"
config:
entity_id: "https://attest.company.com"
sso_url: "https://sso.company.com/saml/sso"
certificate: "/etc/attest/saml/company.crt"
attribute_mapping:
email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
groups: "http://schemas.company.com/identity/claims/groups"
OAuth 2.0 / OpenID Connect¶
auth:
providers:
- name: "company-oidc"
type: "oidc"
config:
issuer: "https://auth.company.com"
client_id: "attest-enterprise"
client_secret: "${OIDC_CLIENT_SECRET}"
scopes: ["openid", "profile", "email", "groups"]
redirect_url: "https://attest.company.com/auth/callback"
Role-Based Access Control¶
# rbac-config.yaml
roles:
- name: "admin"
permissions:
- "manage:users"
- "manage:policies"
- "manage:keys"
- "view:all"
- "audit:all"
- name: "developer"
permissions:
- "create:pipelines"
- "view:own_projects"
- "execute:builds"
- name: "security_officer"
permissions:
- "view:security_reports"
- "manage:policies"
- "audit:all"
- name: "viewer"
permissions:
- "view:pipelines"
- "view:reports"
groups:
- name: "platform-team"
roles: ["admin"]
members: ["alice@company.com", "bob@company.com"]
- name: "dev-team-frontend"
roles: ["developer"]
projects: ["webapp", "mobile-app"]
- name: "security-team"
roles: ["security_officer"]
scope: "global"
Centralized Management¶
Management Console¶
# Access management console
kubectl port-forward svc/attest-management 8080:80 -n attest-system
# Navigate to https://localhost:8080
# CLI management
attest enterprise manage users list
attest enterprise manage projects list
attest enterprise manage policies list
Project Management¶
# project-config.yaml
projects:
- name: "webapp"
description: "Frontend web application"
teams: ["frontend-team"]
environments: ["dev", "staging", "prod"]
compliance_level: "standard"
- name: "payment-service"
description: "Payment processing microservice"
teams: ["backend-team", "security-team"]
environments: ["dev", "staging", "prod"]
compliance_level: "strict"
security:
require_approval: true
signing_required: true
Global Policies¶
# global-policies.yaml
global_policies:
security:
- name: "require-signature"
description: "All production builds must be signed"
scope: "environment:production"
enforcement: "strict"
- name: "security-scan"
description: "All builds must pass security scanning"
scope: "all"
enforcement: "warn"
compliance:
- name: "audit-trail"
description: "Maintain complete audit trail"
retention: "7 years"
immutable: true
- name: "separation-of-duties"
description: "Require approval for production deployments"
approvers:
minimum: 2
roles: ["security_officer", "release_manager"]
Compliance & Governance¶
Compliance Frameworks¶
SOX Compliance¶
compliance:
sox:
enabled: true
requirements:
- "segregation_of_duties"
- "change_management"
- "access_controls"
- "audit_trail"
controls:
change_approval:
required: true
approvers: 2
roles: ["sox_approver"]
deployment_approval:
production_only: true
cooling_period: "24h"
HIPAA Compliance¶
compliance:
hipaa:
enabled: true
requirements:
- "data_encryption"
- "access_logging"
- "minimum_necessary"
- "breach_notification"
controls:
encryption:
at_rest: true
in_transit: true
key_management: "hsm"
audit_logging:
comprehensive: true
retention: "6 years"
ISO 27001¶
compliance:
iso27001:
enabled: true
controls:
- "A.9.1.1" # Access control policy
- "A.9.2.1" # User registration
- "A.12.6.1" # Management of vulnerabilities
- "A.14.2.5" # Secure system engineering
Audit and Reporting¶
# Generate compliance reports
attest enterprise audit generate \
--framework sox \
--period "2024-Q1" \
--output compliance-report-q1.pdf
# Continuous compliance monitoring
attest enterprise compliance monitor \
--frameworks sox,hipaa,iso27001 \
--alerts-webhook https://compliance.company.com/webhook
High Availability¶
Database High Availability¶
database:
postgresql:
architecture: "replication"
primary:
replicas: 1
readReplicas:
replicas: 2
backup:
enabled: true
schedule: "0 2 * * *"
retention: "30d"
failover:
automatic: true
timeout: "30s"
Cache High Availability¶
cache:
redis:
architecture: "cluster"
cluster:
replicas: 6
minimumMasters: 3
sentinel:
enabled: true
replicas: 3
backup:
schedule: "0 3 * * *"
retention: "7d"
Load Balancing¶
load_balancer:
type: "nginx"
replicas: 3
config:
upstream:
- "attest-api-1:8080"
- "attest-api-2:8080"
- "attest-api-3:8080"
health_check:
interval: "10s"
timeout: "5s"
retries: 3
Monitoring & Alerting¶
Enterprise Metrics¶
monitoring:
prometheus:
enabled: true
retention: "90d"
external_labels:
cluster: "production"
environment: "enterprise"
grafana:
enabled: true
dashboards:
- "enterprise-overview"
- "compliance-dashboard"
- "security-metrics"
- "performance-analytics"
alertmanager:
enabled: true
config:
global:
smtp_smarthost: "smtp.company.com:587"
route:
group_by: ["alertname", "cluster", "service"]
group_wait: "10s"
group_interval: "10s"
repeat_interval: "1h"
receiver: "enterprise-alerts"
Custom Alerts¶
alerts:
- name: "enterprise-license-expiry"
condition: "days_until_license_expiry < 30"
severity: "warning"
- name: "compliance-violation"
condition: "compliance_violations > 0"
severity: "critical"
- name: "security-scan-failure"
condition: "security_scan_failures > 5"
severity: "high"
- name: "audit-log-integrity"
condition: "audit_log_verification_failed"
severity: "critical"
Security¶
Enterprise Security Features¶
security:
encryption:
at_rest:
enabled: true
algorithm: "AES-256-GCM"
key_rotation: "quarterly"
in_transit:
enabled: true
tls_version: "1.3"
cipher_suites: ["TLS_AES_256_GCM_SHA384"]
hsm:
enabled: true
provider: "pkcs11"
slots:
- name: "signing"
type: "signing"
backup: true
- name: "encryption"
type: "encryption"
backup: true
network:
isolation: true
policies:
ingress:
- from_namespaces: ["attest-system"]
ports: [8080, 9090]
egress:
- to_namespaces: ["kube-system"]
ports: [53] # DNS
Secret Management¶
secrets:
vault:
enabled: true
address: "https://vault.company.com"
auth_method: "kubernetes"
paths:
signing_keys: "secret/attest/signing"
api_keys: "secret/attest/api"
certificates: "secret/attest/certs"
rotation:
enabled: true
schedule: "0 2 1 * *" # Monthly
Backup & Disaster Recovery¶
Backup Strategy¶
backup:
database:
schedule: "0 2 * * *"
retention: "30d"
encryption: true
destinations:
- "s3://company-backups/attest/db/"
- "gcs://company-dr/attest/db/"
cache:
schedule: "0 3 * * *"
retention: "7d"
destinations:
- "s3://company-backups/attest/cache/"
config:
schedule: "0 1 * * *"
retention: "90d"
destinations:
- "s3://company-backups/attest/config/"
Disaster Recovery¶
# DR testing
attest enterprise dr test \
--scenario "primary-region-failure" \
--target-rto "15m" \
--target-rpo "1h"
# DR activation
attest enterprise dr activate \
--region "us-west-2" \
--restore-from "latest"
Cost Management¶
Resource Optimization¶
resource_management:
auto_scaling:
enabled: true
metrics:
- "cpu_utilization"
- "memory_utilization"
- "queue_length"
targets:
min_replicas: 3
max_replicas: 20
cpu_target: 70
cost_controls:
budget_alerts:
- threshold: 80
period: "monthly"
action: "alert"
- threshold: 95
period: "monthly"
action: "throttle"
Usage Analytics¶
# Cost analysis
attest enterprise cost analyze \
--period "2024-Q1" \
--breakdown "team,project,environment" \
--format excel
# Usage optimization
attest enterprise optimize \
--target "cost" \
--suggestions "aggressive"
Support & Services¶
Enterprise Support¶
support:
level: "enterprise"
sla:
response_time:
critical: "1h"
high: "4h"
medium: "8h"
low: "24h"
channels:
- "phone"
- "email"
- "chat"
- "dedicated_slack"
Professional Services¶
- Migration assistance
- Custom integration development
- Performance optimization
- Compliance consulting
- Training and certification
Success Management¶
- Dedicated customer success manager
- Quarterly business reviews
- Best practices workshops
- Regular health checks
Best Practices¶
Deployment¶
- Plan for high availability from the start
- Implement comprehensive monitoring before going live
- Test disaster recovery procedures regularly
- Use infrastructure as code for reproducible deployments
- Implement gradual rollouts for configuration changes
13.2 Security¶
- Follow least privilege principle for all access
- Enable all security features by default
- Regular security assessments and penetration testing
- Implement defense in depth strategies
- Maintain security documentation and procedures
13.3 Operations¶
- Automate routine tasks where possible
- Monitor business metrics not just technical metrics
- Implement proper change management procedures
- Regular capacity planning reviews
- Maintain runbooks for common operational scenarios
ATTEST Enterprise provides the scalability, security, and compliance features needed for large-scale deployments in enterprise environments.