Provisioning System
The MATIH provisioning system transforms a newly created tenant from PENDING status into a fully operational data platform with isolated Kubernetes namespaces, deployed services, DNS zones, ingress controllers, monitoring, and compliance policies. The system consists of 56 ordered provisioning steps organized into 9 phases.
Architecture
The provisioning system has two layers:
- ProvisioningOrchestrator -- Manages the high-level state machine and branches between FREE tier (shared cluster) and PROFESSIONAL/ENTERPRISE tier (dedicated infrastructure) flows
- ProvisioningService -- Executes individual provisioning steps sequentially, handles retries, and manages rollback
Provisioning Phases
| Phase | Steps | Description |
|---|---|---|
| 0 - Validation | 1-2 | Input validation and quota checks |
| 1 - Control Plane | 3-6 | Tenant record, admin user, roles, API keys |
| 2 - Kubernetes | 7-13 | Namespace, resource quotas, RBAC, network policies |
| 3 - Cloud Storage | 14-20 | Storage accounts, key vaults, managed identities |
| 4 - Data Infrastructure | 21-25 | Databases, caches, vector stores, search indices, message topics |
| 5 - Services | 26-42 | 13 data plane service deployments + ingress + DNS |
| 6 - Observability | 43-48 | Monitoring, audit logging, identity provider, billing, compliance |
| 7 - Cloud Infrastructure | 49-54 | Terraform provisioning, cloud AI services |
| 8 - Finalization | 55-56 | Welcome email and tenant activation |
Two-Tier Provisioning
The orchestrator branches based on the tenant tier:
FREE tier (shared cluster):
- Allocate namespace in shared cluster
- Configure resource quotas
- Deploy services to namespace
- Verify connectivity
- Complete provisioning
PROFESSIONAL/ENTERPRISE tier (dedicated infrastructure):
- Validate service principal credentials
- Acquire Terraform state lock
- Provision infrastructure via Terraform
- Create Kubernetes resources
- Deploy services to dedicated cluster
- Verify connectivity
- Complete provisioning
Sections
| Page | Description |
|---|---|
| State Machine | State machine states, transitions, and error handling |
| Namespace Creation | Kubernetes namespace setup, RBAC, quotas |
| Service Deployment | Helm-based service deployment per tenant |
| DNS Zones | Azure DNS child zones, NS delegation |
| Ingress Setup | Per-tenant NGINX ingress and TLS |
| Observability Setup | Monitoring stack provisioning |
| Audit Trail | Provisioning audit logging |
| Rollback | Rollback procedures and failure handling |