Overview

To deploy the Open AMT Cloud Toolkit to a production environment, replace default reference implementation components with more robust or full-featured components. Each section below lists the default reference implementation component included with toolkit along with suggestions for replacement.

Database Selection

The Docker-based PostgreSQL* image used in docker-compose.yml provides enough functionality for proof-of-concept creation and development. However, to enable the toolkit for production, leverage a managed database instance offered by a public cloud provider or a database hosted by your internal IT.

Regardless of the deployment scenario (i.e., a VM, Kubernetes, Docker Swarm, a native environment), managing state in your cluster comes with a higher risk of data loss than that of a managed database instance.

Default Component

• PostgreSQL

Example Replacements

• Azure Database for PostgreSQL
• Azure SQL Database
• Amazon Relational Database Service (RDS)
• MS SQL Server
• MariaDB

For more information about replacing the default toolkit database, see the Database Replacement guide.

Secrets Management

A secret is any asset requiring controlled access, such as API keys, passwords, or certificates.

The toolkit enables secrets management with HashiCorp Vault*, which provides a secure repository for storing and accessing sensitive assets. Vault offers a unified interface to any secret, tight access control, and a detailed audit log.

While Vault provides a comprehensive solution for managing and persisting state in a K8s cluster, use of a managed secret provider, such as Azure Key Vault, offloads this role and helps reduce the overhead of secrets management in the toolkit.

Additionally, if a secret provider is not necessary for your deployment, consider removing it and leveraging some other backing store for secrets.

Default Component

• HashiCorp Vault

Example Replacements

• Azure Key Vault
• AWS Key Management Service (KMS)

For more information about replacing the default secret provider, see the Secrets Management guide.

API Gateway

The toolkit uses Kong as its open source API gateway. Kong provides an entry point for external clients, anything not a part of the microservice system, and a comprehensive suite of plugins for various scenarios.

Default Component

• Kong

Example Replacements

• Azure API Gateway
• Amazon API Gateway
• Google Cloud Endpoints
• Tyk

Centralized Configuration

Centralized Configuration (Consul) is a Preview Feature

The Consul implementation feature is a Preview Feature and is subject to change. This means it has not been fully validated and cannot be guaranteed to work. There are still potential bugs and tweaks needed for a production-level feature standard. Interested in this feature and helping us test it? Reach out via GitHub.

The toolkit utilizes Consul to implement centralized configuration of the MPS and RPS services. This is an optional, opt-in service that is deployed, but not enabled by default.

Default Component

• Hashicorp Consul

Example Replacements

• etcd
• Apache Zookeeper

By default, Consul is deployed, but not utilized. For more information about enabling Consul, see the Service Mesh guide.